CentralCSP

plugin-types


plugin-types

plugin-types

The plugin-types directive specifies the MIME types of plugins that can be embedded in the document. This directive is deprecated and object-src should be used instead.

Tips & Tricks

  • This directive is deprecated

Examples

  • Allows scripts from the same origin and a specific external site

    Content-Security-Policy: plugin-types application/x-java-applet

    Allowed

    <!-- allowed by application/x-java-applet -->
    <object type='application/x-java-applet' data='/java/player.class'></object>

    Blocked

    <!-- blocked as application/x-shockwave-flash is not allowed -->
    <object type='application/x-shockwave-flash' data='/flash/player.swf'></object>

Frequently Asked Questions

What is the plugin-types directive used for?

The plugin-types directive specifies which MIME types are allowed for plugins loaded via <object>, <embed>, and <applet> elements. However, this directive is deprecated and object-src should be used instead.

Deprecated Directive

The plugin-types directive is deprecated. Use object-src instead to control plugin content loading.

What are valid values for plugin-types?

The plugin-types directive accepts MIME type values like 'application/x-java-applet' or 'application/x-shockwave-flash'. However, since this directive is deprecated and plugins are no longer commonly used, it's recommended using object-src: 'none' instead.

Modern Alternative

For modern web applications, use object-src: 'none' to block all plugin content rather than trying to allowlist specific MIME types.

Should I use plugin-types in my CSP?

No, you should not use plugin-types in new CSP implementations. This directive is deprecated and most modern browsers have removed support for plugins like Flash and Java applets. Instead, use object-src to control any legacy plugin content.

Best Practice

Focus on implementing object-src rather than plugin-types for controlling plugin content in your CSP.

Need to monitor CSP violations and maintain it easily?

Set up a reporting endpoint to monitor Content Security Policy violations in real-time to build and maintain your CSP easily.

Set up your endpoint now

Learn more about other topics

Docs

CSP ScannerCSP EvaluatorReporting Endpoint

Contact


CentralSaaS © 2025