The directive 'plugin-types' allows developer to restrict which types of plugin can be loaded via <embed> or <object> html elements. The main point was to allow developer to block Flash in their pages. But Flash support has been discontinued, so there is not much point in this anymore.

Motivation

The CSP directive 'plugin-types' allows web developers to restrict which plugins a page can load via the html elements <embed> and <object>. The main goal was to allow developers to disable Flash. Since Flash support has been discontinued, this is not needed anymore. See also the discussion in https://github.com/w3c/webappsec-csp/issues/394

Status in Chromium

Blink>SecurityFeature>ContentSecurityPolicy


Enabled by default (tracking bug) in:

  • Chrome for desktop release 90
  • Chrome for Android release 90

Consensus & Standardization

After a feature ships in Chrome, the values listed here are not guaranteed to be up to date.

  • Positive
  • No signal
  • No signal
  • No signals

Owner

Last updated on 2021-06-09