Directive: plugin types

Overview

Caution

Obsolete: Between 2013–2014, browser vendors announced deprecations of Netscape Plugin API (NPAPI) plugins.

Google removed all NPAPI support from Chromium in September 2015. Google offered the Pepper Plugin API (PPAPI) as an alternative for plugins like Adobe Flash, but that was deprecated in 2017 and removed in August 2022.

Mozilla removed support for everything except for Adobe Flash from Firefox 52 in 2017, and removed all NSAPI support from the Firefox 78 ESR release in October 2021.

Apple removed support for everything except for Adobe Flash from Safari 12 in 2018, and removed all NSAPI support from Safari 14 in September 2020.

The plugin-types directive was meant to be paired with the object-src directive to restrict which plugin media types (née mime types) could be embedded in <object>, <embed>, and <applet> HTML elements.

Instantiation of <object>, <embed>, and <applet> HTML elements will fail if:

• the element to load does not declare a valid MIME type,
• the declared type does not match one of specified types in the plugin-types directive,
• the fetched resource does not match the declared type.

Affects: <object>; <embed>; <applet>

Required reading:

• Can I use plugin-types?
• MDN Web Docs reference

Usage examples

Accepts one or more media types.

plugin-types application/pdf application/x-shockwave-flash

Fallbacks

❌ plugin-types does not fallback to default-src.

Possible errors

• CSP-0300 — [ERROR] directive %s has an invalid value %s
• CSP-0804 — [ERROR] directive plugin-types is obsolete; remove this directive from the policy

For developers

ABNF (CSP3)

None. Removed in CSP Level 3.

Type

• media-type-list in CSP2

References

• CSP Level 2 reference
• MDN Web Docs reference
• Can I use plugin-types?