plugin-types
Content-Security-Policy Fetch

Overview

plugin-types restricted which plugins could be loaded via <object>/<embed> by MIME type (e.g., allowing only application/pdf). But with the end of the plugin era it was deprecated and is removed/unsupported in modern browsers.

Details

It was once used to whitelist specific plugin MIME types (Flash's application/x-shockwave-flash, Java, PDF viewers) to prevent arbitrary plugin execution. Where object-src controls 'where' plugin content loads from, plugin-types was a complementary directive controlling 'what type' loads.

As browser plugins like Flash were entirely retired, this directive lost its reason to exist, and browsers like Chrome ignore or removed it. The modern best practice is to consolidate plugin control into a single object-src 'none'. Don't add plugin-types to new policies; specify object-src 'none' instead.

Syntax

Content-Security-Policy: plugin-types application/pdf

Notes

Related directives