The HTTP Content-Security-Policy
(CSP) plugin-types
directive restricts the set of plugins that can be embedded into a document by limiting the types of resources which can be loaded.
Instantiation of an <embed>
, <object>
or <applet>
element will fail if:
plugin-types
directive,CSP version | 2 |
---|---|
Directive type | Document directive |
default-src fallback | No. Not setting this allows anything. |
One or more MIME types can be set for the plugin-types
policy:
Content-Security-Policy: plugin-types <type>/<subtype>; Content-Security-Policy: plugin-types <type>/<subtype> <type>/<subtype>;
To disallow all plugins, the object-src
directive should be set to 'none'
which will disallow plugins. The plugin-types
directive is only used if you are allowing plugins with object-src
at all.
<meta http-equiv="Content-Security-Policy" content="object-src 'none'">
The content security policy
Content-Security-Policy: plugin-types application/x-shockwave-flash
will allow to load flash objects:
<object data="https://example.com/flash" type="application/x-shockwave-flash"></object>
To load an <applet>
you must specify application/x-java-applet
:
Content-Security-Policy: plugin-types application/x-java-applet
Specification | Status | Comment |
---|---|---|
Content Security Policy Level 3 The definition of 'plugin-types' in that specification. | Editor's Draft | No changes. |
Content Security Policy Level 2 The definition of 'plugin-types' in that specification. | Candidate Recommendation | Initial definition. |
Feature | Chrome | Edge | Firefox | Internet Explorer | Opera | Safari | Servo |
---|---|---|---|---|---|---|---|
Basic Support | 40 | No support | No support1 | No support | 27 | 10 | ? |
Feature | Android | Chrome for Android | Edge Mobile | Firefox for Android | IE Mobile | Opera Mobile | Safari Mobile |
---|---|---|---|---|---|---|---|
Basic Support | ? | (Yes) | No support | No support | No support | ? | 9.3 |
1. See Bugzilla bug 1045899.
© 2005–2017 Mozilla Developer Network and individual contributors.
Licensed under the Creative Commons Attribution-ShareAlike License v2.5 or later.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/plugin-types