Revision 1139153 of CSP: plugin-types

  • Revision slug: Web/HTTP/Headers/Content-Security-Policy/plugin-types
  • Revision title: Content-Security-Policy: plugin-types
  • Revision id: 1139153
  • Created:
  • Creator: fscholz
  • Is current revision? No
  • Comment new page
Tags: 

Revision Content
{{HTTPSidebar}}

The HTTP {{HTTPHeader("Content-Security-Policy")}} plugin-types directive restricts the set of plugins that can be embedded into a document by limiting the types of resources which can be loaded.

Instantiation of an {{HTMLElement("embed")}}, {{HTMLElement("object")}} or {{HTMLElement("applet")}} element will fail if:

  • the element to load does not declare a valid MIME type,
  • the declared type does not match one of specified types in the plugin-types directive,
  • the fetched resource does not match the declared type.
CSP version 2
Directive type Document directive
{{CSP("default-src")}} fallback No. Not setting this allows anything.

Syntax

One or more MIME types can be set for the plugin-types policy:

Content-Security-Policy: plugin-types <type>/<subtype>;
Content-Security-Policy: plugin-types <type>/<subtype> <type>/<subtype>;
<type>/<subtype>
A valid MIME type.

Examples

Disallowing plugins

To disallow all plugins, the {{CSP("object-src")}} directive should be set to 'none' which will disallow plugins. The plugin-types directive is only used if you are allowing plugins with object-src at all.

<meta http-equiv="Content-Security-Policy" content="object-src 'none'">

Allowing Flash content

The content security policy

Content-Security-Policy: plugin-types application/x-shockwave-flash

will allow to load flash objects:

<object data="https://example.com/flash" type="application/x-shockwave-flash"></object>

Allowing Java applets

To load an {{HTMLElement("applet")}} you must specify application/x-java-applet:

Content-Security-Policy: plugin-types application/x-java-applet

Specifications

Specification Status Comment
{{specName("CSP 3.0")}} {{Spec2('CSP 3.0')}} No changes.
{{specName("CSP 1.1")}} {{Spec2('CSP 1.1')}} Initial definition.

Browser compatibility

{{Compat}}

See also

  • {{HTTPheader("Content-Security-Policy")}}: {{CSP("object-src")}}
  • {{HTMLElement("object")}}
  • {{HTMLElement("embed")}}
  • {{HTMLElement("applet")}}
  • {{HTTPHeader("X-Content-Type-Options")}}

Revision Source

 
<div>{{HTTPSidebar}}</div>

<p>The HTTP {{HTTPHeader("Content-Security-Policy")}} <code><strong>plugin-types</strong></code> directive restricts the set of plugins that can be embedded into a document by limiting the types of resources which can be loaded.</p>

<p>Instantiation of an {{HTMLElement("embed")}}, {{HTMLElement("object")}} or&nbsp;{{HTMLElement("applet")}} element will fail if:</p>

<ul>
 <li>the element to load does not declare a valid MIME type,</li>
 <li>the declared type does not match one of specified types in the <code>plugin-types</code> directive,</li>
 <li>the fetched resource does not match the declared type.</li>
</ul>

<table class="properties">
 <tbody>
  <tr>
   <th scope="row">CSP version</th>
   <td>2</td>
  </tr>
  <tr>
   <th scope="row">Directive type</th>
   <td>Document directive</td>
  </tr>
  <tr>
   <th scope="row">{{CSP("default-src")}} fallback</th>
   <td>No. Not setting this allows anything.</td>
  </tr>
 </tbody>
</table>

<h2 id="Syntax">Syntax</h2>

<p>One or more <a href="/en-US/docs/Web/HTTP/Basics_of_HTTP/MIME_types">MIME types</a> can be set for the plugin-types policy:</p>

<pre class="syntaxbox">
Content-Security-Policy: plugin-types &lt;type&gt;/&lt;subtype&gt;;
Content-Security-Policy: plugin-types &lt;type&gt;/&lt;subtype&gt; &lt;type&gt;/&lt;subtype&gt;;
</pre>

<dl>
 <dt>&lt;type&gt;/&lt;subtype&gt;</dt>
 <dd>A valid <a href="/en-US/docs/Web/HTTP/Basics_of_HTTP/MIME_types/Complete_list_of_MIME_types">MIME type</a>.</dd>
</dl>

<h2 id="Examples">Examples</h2>

<h3 id="Meta_tag_configuration">Disallowing plugins</h3>

<p>To disallow all plugins, the {{CSP("object-src")}} directive should be set to <code>'none'</code> which will disallow plugins. The <code>plugin-types</code> directive is only used if you are allowing plugins with <code>object-src</code> at all.</p>

<pre class="brush: html">
&lt;meta http-equiv="Content-Security-Policy" content="object-src 'none'"&gt;</pre>

<h3>Allowing Flash content</h3>

<p>The content security policy</p>

<pre class="brush: bash">
Content-Security-Policy: plugin-types application/x-shockwave-flash</pre>

<p>will allow to load flash objects:</p>

<pre class="brush: html">
&lt;object data="https://example.com/flash" type="application/x-shockwave-flash"&gt;&lt;/object&gt;</pre>

<h3 id="Violation_case">Allowing Java applets</h3>

<p>To load an {{HTMLElement("applet")}} you must specify <code>application/x-java-applet</code>:</p>

<pre class="brush: bash">
Content-Security-Policy: plugin-types application/x-java-applet</pre>

<h2 id="Specifications">Specifications</h2>

<table class="standard-table">
 <tbody>
  <tr>
   <th scope="col">Specification</th>
   <th scope="col">Status</th>
   <th scope="col">Comment</th>
  </tr>
  <tr>
   <td>{{specName("CSP 3.0")}}</td>
   <td>{{Spec2('CSP 3.0')}}</td>
   <td>No changes.</td>
  </tr>
  <tr>
   <td>{{specName("CSP 1.1")}}</td>
   <td>{{Spec2('CSP 1.1')}}</td>
   <td>Initial definition.</td>
  </tr>
 </tbody>
</table>

<h2 id="Browser_compatibility">Browser compatibility</h2>

<p class="hidden">The compatibility table in this page is generated from structured data. If you'd like to contribute to the data, please check out <a href="https://github.com/mdn/browser-compat-data">https://github.com/mdn/browser-compat-data</a> and send us a pull request.</p>

<p>{{Compat}}</p>

<h2 id="See_also">See also</h2>

<ul>
 <li>{{HTTPheader("Content-Security-Policy")}}: {{CSP("object-src")}}</li>
 <li>{{HTMLElement("object")}}</li>
 <li>{{HTMLElement("embed")}}</li>
 <li>{{HTMLElement("applet")}}</li>
 <li>{{HTTPHeader("X-Content-Type-Options")}}</li>
</ul>
Revert to this revision