With the Content Security Policy v2, being introduced in Chrome 40, there is the new directive "plugin-types".
Assuming the website does not use any plugins, what is the correct way to define that?
Content-Security-Policy: default-src 'none'; plugin-types ; ...
Which results in the Google Chrome warning (via reportInvalidPluginTypes):
'plugin-types' Content Security Policy directive is empty; all plugins will be blocked.
Or do you go with the 'none' option used by other directives, such as:
Content-Security-Policy:default-src 'none'; plugin-types 'none'; ...
Invalid plugin type in 'plugin-types' Content Security Policy directive: ''none''.
I should add that this only seems to appear when a page tries to load a plugin (e.g. if you embed an iframe for Vimeo).