plugin-types
plugin-types
plugin-types
The plugin-types directive specifies the MIME types of plugins that can be embedded in the document. This directive is deprecated and object-src should be used instead.
Tips & Tricks
This directive is deprecated
Examples
Allows scripts from the same origin and a specific external site
Content-Security-Policy: plugin-types application/x-java-appletAllowed
<!-- allowed by application/x-java-applet --> <object type='application/x-java-applet' data='/java/player.class'></object>Blocked
<!-- blocked as application/x-shockwave-flash is not allowed --> <object type='application/x-shockwave-flash' data='/flash/player.swf'></object>
Frequently Asked Questions
What is the plugin-types directive used for?
The plugin-types directive specifies which MIME types are allowed for plugins loaded via <object>, <embed>, and <applet> elements. However, this directive is deprecated and object-src should be used instead.
Deprecated Directive
The plugin-types directive is deprecated. Use object-src instead to control plugin content loading.
What are valid values for plugin-types?
The plugin-types directive accepts MIME type values like 'application/x-java-applet' or 'application/x-shockwave-flash'. However, since this directive is deprecated and plugins are no longer commonly used, it's recommended using object-src: 'none' instead.
Modern Alternative
For modern web applications, use object-src: 'none' to block all plugin content rather than trying to allowlist specific MIME types.
Should I use plugin-types in my CSP?
No, you should not use plugin-types in new CSP implementations. This directive is deprecated and most modern browsers have removed support for plugins like Flash and Java applets. Instead, use object-src to control any legacy plugin content.
Best Practice
Focus on implementing object-src rather than plugin-types for controlling plugin content in your CSP.
Need to monitor CSP violations and maintain it easily?
Set up a reporting endpoint to monitor Content Security Policy violations in real-time to build and maintain your CSP easily.
Set up your endpoint now