W3cubDocs

/HTTP

CSP: plugin-types

The HTTP Content-Security-Policy (CSP) plugin-types directive restricts the set of plugins that can be embedded into a document by limiting the types of resources which can be loaded.

Instantiation of an <embed>, <object> or <applet> element will fail if:

  • the element to load does not declare a valid MIME type,
  • the declared type does not match one of specified types in the plugin-types directive,
  • the fetched resource does not match the declared type.
CSP version 2
Directive type Document directive
default-src fallback No. Not setting this allows anything.

Syntax

One or more MIME types can be set for the plugin-types policy:

Content-Security-Policy: plugin-types <type>/<subtype>;
Content-Security-Policy: plugin-types <type>/<subtype> <type>/<subtype>;
<type>/<subtype>
A valid MIME type.

Examples

Disallowing plugins

To disallow all plugins, the object-src directive should be set to 'none' which will disallow plugins. The plugin-types directive is only used if you are allowing plugins with object-src at all.

<meta http-equiv="Content-Security-Policy" content="object-src 'none'">

Allowing Flash content

The content security policy

Content-Security-Policy: plugin-types application/x-shockwave-flash

will allow to load flash objects:

<object data="https://example.com/flash" type="application/x-shockwave-flash"></object>

Allowing Java applets

To load an <applet> you must specify application/x-java-applet:

Content-Security-Policy: plugin-types application/x-java-applet

Specifications

Browser compatibilityUpdate compatibility data on GitHub

Desktop
Chrome Edge Firefox Internet Explorer Opera Safari
plugin-types 40 15 No
No
See bug 1045899.
No 27 10
Mobile
Android webview Chrome for Android Firefox for Android Opera for Android Safari on iOS Samsung Internet
plugin-types Yes Yes No ? 9.3 Yes

See also

© 2005–2020 Mozilla and individual contributors.
Licensed under the Creative Commons Attribution-ShareAlike License v2.5 or later.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/plugin-types