The HTTP {{HTTPHeader("Content-Security-Policy")}} plugin-types
directive restricts the set of plugins that can be embedded into a document by limiting the types of resources which can be loaded.
Instantiation of an {{HTMLElement("embed")}}, {{HTMLElement("object")}} or {{HTMLElement("applet")}} element will fail if:
- the element to load does not declare a valid MIME type,
- the declared type does not match one of specified types in the
plugin-types
directive, - the fetched resource does not match the declared type.
CSP version | 2 |
---|---|
Directive type | Document directive |
{{CSP("default-src")}} fallback | No. Not setting this allows anything. |
Syntax
One or more MIME types can be set for the plugin-types policy:
Content-Security-Policy: plugin-types <type>/<subtype>; Content-Security-Policy: plugin-types <type>/<subtype> <type>/<subtype>;
- <type>/<subtype>
- A valid MIME type.
Examples
Disallowing plugins
To disallow all plugins, the {{CSP("object-src")}} directive should be set to 'none'
which will disallow plugins. The plugin-types
directive is only used if you are allowing plugins with object-src
at all.
<meta http-equiv="Content-Security-Policy" content="object-src 'none'">
Allowing Flash content
The content security policy
Content-Security-Policy: plugin-types application/x-shockwave-flash
will allow to load flash objects:
<object data="https://example.com/flash" type="application/x-shockwave-flash"></object>
Allowing Java applets
To load an {{HTMLElement("applet")}} you must specify application/x-java-applet
:
Content-Security-Policy: plugin-types application/x-java-applet
Specifications
Specification | Status | Comment |
---|---|---|
{{specName("CSP 3.0")}} | {{Spec2('CSP 3.0')}} | No changes. |
{{specName("CSP 1.1")}} | {{Spec2('CSP 1.1')}} | Initial definition. |
Browser compatibility
The compatibility table in this page is generated from structured data. If you'd like to contribute to the data, please check out https://github.com/mdn/browser-compat-data and send us a pull request.
{{Compat}}
See also
- {{HTTPheader("Content-Security-Policy")}}: {{CSP("object-src")}}
- {{HTMLElement("object")}}
- {{HTMLElement("embed")}}
- {{HTMLElement("applet")}}
- {{HTTPHeader("X-Content-Type-Options")}}