CSP: plugin-types

The HTTP Content-Security-Policy (CSP) plugin-types directive restricts the set of plugins that can be embedded into a document by limiting the types of resources which can be loaded.

Instantiation of an <embed>, <object> or <applet> element will fail if:

• the element to load does not declare a valid MIME type,
• the declared type does not match one of specified types in the plugin-types directive,
• the fetched resource does not match the declared type.

One or more MIME types can be set for the plugin-types policy:

Content-Security-Policy: plugin-types <type>/<subtype>;
Content-Security-Policy: plugin-types <type>/<subtype> <type>/<subtype>;

<type>/<subtype>

A valid MIME type.

To disallow all plugins, the object-src directive should be set to 'none' which will disallow plugins. The plugin-types directive is only used if you are allowing plugins with object-src at all.

<meta http-equiv="Content-Security-Policy" content="object-src 'none'">

The content security policy

Content-Security-Policy: plugin-types application/x-shockwave-flash

will allow to load flash objects:

<object data="https://example.com/flash" type="application/x-shockwave-flash"></object>

To load an <applet> you must specify application/x-java-applet:

Content-Security-Policy: plugin-types application/x-java-applet

Not part of any current specification. Used to be defined in CSP 2.

• Content-Security-Policy: object-src
• <object>
• <embed>
• <applet>
• X-Content-Type-Options