Implement plugin-types directive for CSP that restricts what types of plugins can load on a page. From the draft spec: "The plugin-types directive restricts the set of plugins that can be invoked by the protected resource by limiting the types of resources that can be embedded. ". See the URL for details.
Note: since we're removing support for all plugins except Flash in FF52, and the current sandboxing status-quo is to not allow plugins at all, I'm not sure this is worthwhile. Should we consider WONTFIXing this or even removing this from CSP 1.1?