Remove deprecated CSP directive plugin-types

The Content Security Policy plugin-types is deprecated, see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/plugin-types. The plugin-types directive is only used if you are allowing plugins with object-src at all – we don't allow anything in object-src.