object-src
object-src
object-src
The object-src directive specifies the sources from which <object>, <embed>, and <applet> elements can be loaded.
Recommended Values
'none'
Disallows all object sources
Disallows all object sources
Explore detailed value definitions
Tips & Tricks
If object-src is not defined, the default-src directive will be used.
Don't use unsafe-x values or broad keywords like 'data:' 'blob:' 'http:' 'https:' as it may introduce security vulnerabilities.
Examples
Allows objects from the same origin and a specific external site
Content-Security-Policy: object-src 'self' https://example.com;
Allowed
<!-- allowed by 'self' --> <object data='/js/my_font.js'></object> <!-- allowed by https://example.com --> <object data='https://example.com/myfont.js'></object>
Blocked
<!-- blocked as the domain is not authorized --> <embed src="https://malicious.website.com/flash"></embed> <!-- blocked as the domain is not authorized --> <object data="https://malicious.website.com/plugin"></object> <!-- blocked as the domain is not authorized --> <applet archive="https://malicious.website.com/java"></applet>
Frequently Asked Questions
What is the object-src directive used for?
The object-src directive controls which sources can be loaded using <object>, <embed>, and <applet> elements. These elements were historically used for plugins like Flash and Java applets. In modern web development, this directive is less important as plugin usage has declined significantly.
Security Best Practice
It's recommended to set object-src to 'none' unless you specifically need to support legacy plugins, as these elements can pose security risks.
How does object-src relate to plugin-types?
While object-src controls where plugin content can be loaded from, plugin-types specifies which MIME types are allowed for plugins. However, both directives are largely deprecated as modern browsers have moved away from plugin-based content in favor of web standards.
Modern Usage
For modern web applications, focus on other CSP directives like script-src and frame-src instead of object-src and plugin-types.
What are the recommended values for object-src?
The most secure approach is to set object-src to 'none'. If you must support legacy plugins, use 'self' to only allow content from your own domain, or explicitly list trusted domains. Avoid using wildcards (*) as they can create security vulnerabilities.
Legacy Support
Only enable object-src with a specific sources if you have a documented need for plugin content. Otherwise, blocking all sources with 'none' is the safest option.
Need to monitor CSP violations and maintain it easily?
Set up a reporting endpoint to monitor Content Security Policy violations in real-time to build and maintain your CSP easily.
Set up your endpoint now