diff --git a/config/install/seckit.settings.yml b/config/install/seckit.settings.yml
index 7c7d11b..78caf77 100644
--- a/config/install/seckit.settings.yml
+++ b/config/install/seckit.settings.yml
@@ -13,6 +13,7 @@ seckit_xss:
connect-src: ''
report-uri: '/report-csp-violation'
policy-uri: ''
+ plugin-types: ''
x_xss:
seckit_x_xss_option_disable: Disabled
seckit_x_xss_option_0: '0'
diff --git a/config/schema/seckit.schema.yml b/config/schema/seckit.schema.yml
index 35e5644..a732294 100644
--- a/config/schema/seckit.schema.yml
+++ b/config/schema/seckit.schema.yml
@@ -52,6 +52,9 @@ seckit.settings:
policy-uri:
type: string
label: 'Policy URI'
+ plugin-types:
+ type: string
+ label: 'Plugin types'
x_xss:
type: mapping
label: 'X-XSS'
diff --git a/src/EventSubscriber/SecKitEventSubscriber.php b/src/EventSubscriber/SecKitEventSubscriber.php
index 622f98a..8cd15ad 100644
--- a/src/EventSubscriber/SecKitEventSubscriber.php
+++ b/src/EventSubscriber/SecKitEventSubscriber.php
@@ -177,6 +177,7 @@ class SecKitEventSubscriber implements EventSubscriberInterface {
$csp_connect_src = $this->config->get('seckit_xss.csp.connect-src');
$csp_report_uri = $this->config->get('seckit_xss.csp.report-uri');
$csp_policy_uri = $this->config->get('seckit_xss.csp.policy-uri');
+ $csp_plugin_types = $this->config->get('seckit_xss.csp.plugin-types');
// Prepare directives.
$directives = [];
@@ -219,6 +220,9 @@ class SecKitEventSubscriber implements EventSubscriberInterface {
if ($csp_report_uri) {
$directives[] = "report-uri " . base_path() . $csp_report_uri;
}
+ if ($csp_plugin_types) {
+ $directives[] = "plugin-types $csp_plugin_types";
+ }
// Merge directives.
$directives = implode('; ', $directives);
// }
diff --git a/src/Form/SecKitSettingsForm.php b/src/Form/SecKitSettingsForm.php
index 76d9a48..e24ee2f 100644
--- a/src/Form/SecKitSettingsForm.php
+++ b/src/Form/SecKitSettingsForm.php
@@ -207,6 +207,15 @@ class SecKitSettingsForm extends ConfigFormBase {
'#description' => $this->t("Specify a URL (relative to the Drupal root) for a file containing the (entire) policy. All other directives will be omitted by Security Kit, as policy-uri may only be defined in the absence of other policy definitions in the X-Content-Security-Policy HTTP header. The MIME type for this URI must be text/x-content-security-policy, otherwise user-agents will enforce the policy allow 'none' instead."),
];
+ // CSP plugin-types
+ $form['seckit_xss']['csp']['plugin-types'] = array(
+ '#type' => 'textfield',
+ '#maxlength'=> 1024,
+ '#default_value' => $config->get('seckit_xss.csp.plugin-types'),
+ '#title' => 'plugin-types ',
+ '#description' => t("Defines valid MIME types for plugins invoked via <object> and <embed>. To load an <applet> you must specify application/x-java-applet."),
+ );
+
// Fieldset for X-XSS-Protection.
$form['seckit_xss']['x_xss'] = [
'#type' => 'details',
diff --git a/src/Tests/SecKitCSPCaseTest.php b/src/Tests/SecKitCSPCaseTest.php
index 8bcc7e1..7cf9ec3 100644
--- a/src/Tests/SecKitCSPCaseTest.php
+++ b/src/Tests/SecKitCSPCaseTest.php
@@ -143,6 +143,7 @@ class SecKitCSPCaseTest extends WebTestBase {
'seckit_xss[csp][connect-src]' => '',
'seckit_xss[csp][report-uri]' => $this->reportPath,
'seckit_xss[csp][policy-uri]' => '',
+ 'seckit_xss[csp][plugin-types]' => '',
];
$this->drupalPostForm('admin/config/system/seckit', $form, t('Save configuration'));
$expected = "default-src self; report-uri " . base_path() . $this->reportPath;
diff --git a/src/Tests/SecKitTestCaseTest.php b/src/Tests/SecKitTestCaseTest.php
index e43c6b1..a1c17d5 100644
--- a/src/Tests/SecKitTestCaseTest.php
+++ b/src/Tests/SecKitTestCaseTest.php
@@ -153,6 +153,7 @@ class SecKitTestCaseTest extends WebTestBase {
'seckit_xss[csp][connect-src]' => '',
'seckit_xss[csp][report-uri]' => $this->reportPath,
'seckit_xss[csp][policy-uri]' => '',
+ 'seckit_xss[csp][plugin-types]' => '',
];
$this->drupalPostForm('admin/config/system/seckit', $form, t('Save configuration'));
$expected = "default-src self; report-uri " . base_path() . $this->reportPath;