MDN wants to talk to developers like you: https://qsurvey.mozilla.com/s3/8d22564490d8

CSP: plugin-types

The HTTP Content-Security-Policy (CSP) plugin-types directive restricts the set of plugins that can be embedded into a document by limiting the types of resources which can be loaded.

Instantiation of an <embed>, <object> or <applet> element will fail if:

  • the element to load does not declare a valid MIME type,
  • the declared type does not match one of specified types in the plugin-types directive,
  • the fetched resource does not match the declared type.
CSP version 2
Directive type Document directive
default-src fallback No. Not setting this allows anything.

Syntax

One or more MIME types can be set for the plugin-types policy:

Content-Security-Policy: plugin-types <type>/<subtype>;
Content-Security-Policy: plugin-types <type>/<subtype> <type>/<subtype>;
<type>/<subtype>
A valid MIME type.

Examples

Disallowing plugins

To disallow all plugins, the object-src directive should be set to 'none' which will disallow plugins. The plugin-types directive is only used if you are allowing plugins with object-src at all.

<meta http-equiv="Content-Security-Policy" content="object-src 'none'">

Allowing Flash content

The content security policy

Content-Security-Policy: plugin-types application/x-shockwave-flash

will allow to load flash objects:

<object data="https://example.com/flash" type="application/x-shockwave-flash"></object>

Allowing Java applets

To load an <applet> you must specify application/x-java-applet:

Content-Security-Policy: plugin-types application/x-java-applet

Specifications

Specification Status Comment
Content Security Policy Level 3
The definition of 'plugin-types' in that specification.
Editor's Draft No changes.
Content Security Policy Level 2
The definition of 'plugin-types' in that specification.
Candidate Recommendation Initial definition.

Browser compatibility

Feature Chrome Edge Firefox Internet Explorer Opera Safari Servo
Basic Support40No supportNo support1No support2710?
Feature Android Chrome for Android Edge Mobile Firefox for Android IE Mobile Opera Mobile Safari Mobile
Basic Support?(Yes)No supportNo supportNo support?9.3

1. See Bugzilla bug 1045899.

See also

Document Tags and Contributors

 Contributors to this page: teoli, fscholz
 Last updated by: teoli,