Missing object-src in CSP Declaration
Description
The Content Security Policy (CSP) for this application does not include an explicit object-src directive. While CSP is implemented, the absence of this directive may allow plugins such as Flash, Java, or other embedded objects to load from any source, potentially bypassing other security controls. Modern CSP best practices recommend explicitly defining all fetch directives, including object-src, to prevent unintended content execution.
Remediation
Add an explicit object-src directive to your Content Security Policy. For most modern applications that do not require plugin support, set this directive to 'none' to block all plugin content.
Recommended CSP Configuration:
Content-Security-Policy: default-src 'self'; object-src 'none'; script-src 'self'; style-src 'self';
If your application requires specific plugins or embedded objects, whitelist only trusted sources:
Content-Security-Policy: default-src 'self'; object-src 'self' https://trusted-cdn.example.com; script-src 'self';
Implementation Steps:
1. Review your application to determine if plugins (Flash, Java applets, etc.) are required
2. Add
object-src 'none'; to your CSP header if plugins are not needed3. If plugins are required, specify only trusted sources using
object-src 'self' [trusted-domains];4. Test the updated CSP in report-only mode first using
Content-Security-Policy-Report-Only header5. Monitor CSP violation reports and adjust the policy as needed
6. Deploy the enforcing CSP header once validated