object-src

The object-src directive controls which sources can be loaded for <object>, <embed>, and <applet> elements in your web application. This directive is crucial for preventing the execution of potentially dangerous plugins and legacy content.

Recommended Values

  • 'none' No sources are allowed

  • 'self' Allows the resource to be loaded and executed

Recommended object-src configuration

Content-Security-Policy: object-src 'none';

Tips & Tricks

  • If object-src is not defined, the default-src directive will be used.

  • Don't use unsafe-* values or broad keywords like 'data:' 'blob:' 'http:' 'https:' as it may introduce security vulnerabilities.

Possible Values

  • 'none': No objects/plugins are allowed
  • 'self': Only objects from the same origin are allowed
  • URLs: Specific domains (e.g., https://trusted-domain.com)
  • Schemes: Protocol schemes (e.g., https:)

Example Configurations

Basic policy blocking all objects

CSP Header blocking all objects

Content-Security-Policy: object-src 'none';

Allow objects from same origin and specific domain

CSP Header allowing specific sources

Content-Security-Policy: object-src 'self' https://example.com;

Allowed

<!-- allowed by 'self' -->
<object data="/js/my_font.js"></object>

<!-- allowed by https://example.com -->
<object data="https://example.com/myfont.js"></object>

Blocked

<!-- blocked as the domain is not authorized -->
<embed src="https://malicious.website.com/flash"></embed>

<!-- blocked as the domain is not authorized -->
<object data="https://malicious.website.com/plugin"></object>

<!-- blocked as the domain is not authorized -->
<applet archive="https://malicious.website.com/java"></applet>

Additional Information

  • The object-src directive is important for preventing exploitation through legacy plugins
  • Modern web applications rarely need <object>, <embed>, or <applet> elements
  • Using 'none' is recommended for most applications
  • Consider this directive essential for your security baseline

Related Resources

External Articles

Related Documentation Sections