plugin-types

The plugin-types directive specifies which MIME types of plugins can be embedded in your web application. This directive is deprecated and object-src should be used instead.

Possible Values

  • MIME types (e.g., application/x-java-applet)
  • Multiple MIME types can be specified
  • Empty value blocks all plugins

Example Configurations

Allows specific plugin type

Allow only Java applets

Content-Security-Policy: plugin-types application/x-java-applet

Allowed

<!-- allowed by application/x-java-applet -->
<object type='application/x-java-applet' data='/java/player.class'></object>

Blocked

<!-- blocked as application/x-shockwave-flash is not allowed -->
<object type='application/x-shockwave-flash' data='/flash/player.swf'></object>

Additional Information

  • This directive is deprecated in favor of object-src
  • Modern web applications rarely use browser plugins
  • Consider using HTML5 alternatives instead of plugins
  • When possible, avoid using plugins altogether for better security

Related Resources

External Articles

Related Documentation Sections