plugin-types
Theplugin-types
directive specifies which MIME types of plugins can be embedded in your web application. This directive is deprecated and object-src
should be used instead.
Possible Values
- MIME types (e.g.,
application/x-java-applet
) - Multiple MIME types can be specified
- Empty value blocks all plugins
Example Configurations
Allows specific plugin type
Allow only Java applets
Content-Security-Policy: plugin-types application/x-java-applet
Allowed
<!-- allowed by application/x-java-applet -->
<object type='application/x-java-applet' data='/java/player.class'></object>
Blocked
<!-- blocked as application/x-shockwave-flash is not allowed -->
<object type='application/x-shockwave-flash' data='/flash/player.swf'></object>
Additional Information
- This directive is deprecated in favor of
object-src
- Modern web applications rarely use browser plugins
- Consider using HTML5 alternatives instead of plugins
- When possible, avoid using plugins altogether for better security