plugin-types

The plugin-types directive specifies which MIME types of plugins can be embedded in your web application. This directive is deprecated and object-src should be used instead.

Possible Values

MIME types (e.g., application/x-java-applet)
Multiple MIME types can be specified
Empty value blocks all plugins

Example Configurations

Allows specific plugin type

Allow only Java applets

Content-Security-Policy: plugin-types application/x-java-applet

Allowed

<!-- allowed by application/x-java-applet -->
<object type='application/x-java-applet' data='/java/player.class'></object>

Blocked

<!-- blocked as application/x-shockwave-flash is not allowed -->
<object type='application/x-shockwave-flash' data='/flash/player.swf'></object>

Additional Information

This directive is deprecated in favor of object-src
Modern web applications rarely use browser plugins
Consider using HTML5 alternatives instead of plugins
When possible, avoid using plugins altogether for better security

plugin-types

Possible Values

Example Configurations

Allows specific plugin type

Allowed

Blocked

Additional Information

Related Resources

External Articles

Related Documentation Sections

Table of Contents