plugin-typesplugin-types restricted which plugins could be loaded via <object>/<embed> by MIME type (e.g., allowing only application/pdf). But with the end of the plugin era it was deprecated and is removed/unsupported in modern browsers.
It was once used to whitelist specific plugin MIME types (Flash's application/x-shockwave-flash, Java, PDF viewers) to prevent arbitrary plugin execution. Where object-src controls 'where' plugin content loads from, plugin-types was a complementary directive controlling 'what type' loads.
As browser plugins like Flash were entirely retired, this directive lost its reason to exist, and browsers like Chrome ignore or removed it. The modern best practice is to consolidate plugin control into a single object-src 'none'. Don't add plugin-types to new policies; specify object-src 'none' instead.
Content-Security-Policy: plugin-types application/pdf