object-src
Theobject-src
directive controls which sources can be loaded for <object>
, <embed>
, and <applet>
elements in your web application. This directive is crucial for preventing the execution of potentially dangerous plugins and legacy content.
Recommended Values
'none' No sources are allowed
'self' Allows the resource to be loaded and executed
Recommended object-src configuration
Content-Security-Policy: object-src 'none';
Tips & Tricks
If object-src is not defined, the default-src directive will be used.
Don't use unsafe-* values or broad keywords like 'data:' 'blob:' 'http:' 'https:' as it may introduce security vulnerabilities.
Possible Values
'none'
: No objects/plugins are allowed'self'
: Only objects from the same origin are allowed- URLs: Specific domains (e.g.,
https://trusted-domain.com
) - Schemes: Protocol schemes (e.g.,
https:
)
Example Configurations
Basic policy blocking all objects
CSP Header blocking all objects
Content-Security-Policy: object-src 'none';
Allow objects from same origin and specific domain
CSP Header allowing specific sources
Content-Security-Policy: object-src 'self' https://example.com;
Allowed
<!-- allowed by 'self' -->
<object data="/js/my_font.js"></object>
<!-- allowed by https://example.com -->
<object data="https://example.com/myfont.js"></object>
Blocked
<!-- blocked as the domain is not authorized -->
<embed src="https://malicious.website.com/flash"></embed>
<!-- blocked as the domain is not authorized -->
<object data="https://malicious.website.com/plugin"></object>
<!-- blocked as the domain is not authorized -->
<applet archive="https://malicious.website.com/java"></applet>
Additional Information
- The
object-src
directive is important for preventing exploitation through legacy plugins - Modern web applications rarely need
<object>
,<embed>
, or<applet>
elements - Using
'none'
is recommended for most applications - Consider this directive essential for your security baseline