目录搜索
GuidesAccess control CORSAuthenticationBrowser detection using the user agentCachingCaching FAQCompressionConditional requestsConnection management in HTTP 1.xContent negotiationContent negotiation: List of default Accept valuesCookiesCSPMessagesOverviewProtocol upgrade mechanismProxy servers and tunnelingProxy servers and tunneling: Proxy Auto-Configuration (PAC) filePublic Key PinningRange requestsRedirectionsResources and specificationsResources and URIsResponse codesServer-Side Access ControlSessionGuides: BasicsBasics of HTTPChoosing between www and non-www URLsData URIsEvolution of HTTPIdentifying resources on the WebMIME TypesMIME types: Complete list of MIME typesCSPContent-Security-PolicyContent-Security-Policy-Report-OnlyCSP: base-uriCSP: block-all-mixed-contentCSP: child-srcCSP: connect-srcCSP: default-srcCSP: font-srcCSP: form-actionCSP: frame-ancestorsCSP: frame-srcCSP: img-srcCSP: manifest-srcCSP: media-srcCSP: object-srcCSP: plugin-typesCSP: referrerCSP: report-uriCSP: require-sri-forCSP: sandboxCSP: script-srcCSP: style-srcCSP: upgrade-insecure-requestsCSP: worker-srcHeadersAcceptAccept-CharsetAccept-EncodingAccept-LanguageAccept-RangesAccess-Control-Allow-CredentialsAccess-Control-Allow-HeadersAccess-Control-Allow-MethodsAccess-Control-Allow-OriginAccess-Control-Expose-HeadersAccess-Control-Max-AgeAccess-Control-Request-HeadersAccess-Control-Request-MethodAgeAllowAuthorizationCache-ControlConnectionContent-DispositionContent-EncodingContent-LanguageContent-LengthContent-LocationContent-RangeContent-TypeCookieCookie2DateDNTETagExpectExpiresForwardedFromHeadersHostIf-MatchIf-Modified-SinceIf-None-MatchIf-RangeIf-Unmodified-SinceKeep-AliveLarge-AllocationLast-ModifiedLocationOriginPragmaProxy-AuthenticateProxy-AuthorizationPublic-Key-PinsPublic-Key-Pins-Report-OnlyRangeRefererReferrer-PolicyRetry-AfterServerSet-CookieSet-Cookie2SourceMapStrict-Transport-SecurityTETkTrailerTransfer-EncodingUpgrade-Insecure-RequestsUser-AgentUser-Agent: FirefoxVaryViaWarningWWW-AuthenticateX-Content-Type-OptionsX-DNS-Prefetch-ControlX-Forwarded-ForX-Forwarded-HostX-Forwarded-ProtoX-Frame-OptionsX-XSS-ProtectionMethodsCONNECTDELETEGETHEADMethodsOPTIONSPATCHPOSTPUTStatus100 Continue101 Switching Protocols200 OK201 Created202 Accepted203 Non-Authoritative Information204 No Content205 Reset Content206 Partial Content300 Multiple Choices301 Moved Permanently302 Found303 See Other304 Not Modified307 Temporary Redirect308 Permanent Redirect400 Bad Request401 Unauthorized403 Forbidden404 Not Found405 Method Not Allowed406 Not Acceptable407 Proxy Authentication Required408 Request Timeout409 Conflict410 Gone411 Length Required412 Precondition Failed413 Payload Too Large414 URI Too Long415 Unsupported Media Type416 Range Not Satisfiable417 Expectation Failed426 Upgrade Required428 Precondition Required429 Too Many Requests431 Request Header Fields Too Large451 Unavailable For Legal Reasons500 Internal Server Error501 Not Implemented502 Bad Gateway503 Service Unavailable504 Gateway Timeout505 HTTP Version Not Supported511 Network Authentication RequiredStatus
文字

HTTP Content-Security-Policy(CSP)plugin-types指令通过限制可以加载的资源类型来限制可以嵌入到文档中的插件集。

一个实例<embed><object><applet>元素会失败,如果:

  • 要加载的元素不会声明有效的MIME类型,

  • 声明的类型与plugin-types指令中的指定类型之一不匹配,

  • 获取的资源与声明的类型不匹配。

CSP版本

2

指令类型

Document指令

default-src fallback

不可以。

句法

可以为plugin-types策略设置一个或多个MIME类型:

Content-Security-Policy: plugin-types <type>/<subtype>;Content-Security-Policy: plugin-types <type>/<subtype> <type>/<subtype>;

<type>/<subtype>有效的MIME类型。

示例

禁止插件

要禁止所有插件,object-src应将该指令设置为'none'禁止插件。plugin-types指令仅用于完全允许插件的object-src情况。

<meta http-equiv="Content-Security-Policy" content="object-src 'none'">

允许Flash内容

内容安全策略

Content-Security-Policy: plugin-types application/x-shockwave-flash

将允许加载Flash对象:

<object data="https://example.com/flash" type="application/x-shockwave-flash"></object>

允许Java小程序

加载<applet>你必须指定application/x-java-applet

Content-Security-Policy: plugin-types application/x-java-applet

规范

规范

状态

评论

内容安全策略级别3该规范中'插件类型'的定义。

编辑草稿

没有变化。

内容安全策略级别2该规范中'插件类型'的定义。

建议

初始定义。

浏览器兼容性

特征

Chrome

Firefox

Edge

Internet Explorer

Opera

Safari

基本支持

40

(No)1

(No)

(No)

27

10

特征

Android

Chrome for Android

Edge mobile

Firefox for Android

IE mobile

Opera Android

iOS Safari

基本支持

?

(Yes)

(No)

(No)

(No)

?

9.3

上一篇:下一篇: