object-srcContent Security Policy (CSP) directive specifies the valid sources for the <object> and <embed> elements. This includes browser plugin features such as Flash, Java, and ActiveX controls.
embed tags are used less and less in modern web applications.
In many cases such tags open an hole for exploitation, for example if an attacker can exploit a bug in the
flash player plugin or the java runtime environment (JRE).
We can use
Content-Security-Policy to block all loading of these resources, or to only allow loading them from trusted sources.
The most common use of the
object-src CSP directive is to block the loading of browser plugins such as Java, Flash or ActiveX. This can be accomplished using the
'none' source list value, for example:
Content-Security-Policy: object-src 'none';
plugin-types directive is a non standard / deprecated directive that lets you allow a certain mime type of plugin. The use case here is if you for example wanted to allow java plugins to run, but prevent flash, and everything else.
If you do not specify a
object-src directive, but do specify a
default-src directive then the value of the
default-src directive is used.
If you specify both a
object-src and a
default-src directive then the
object-src takes precedence.
object-src directive has been part of the Content Security Policy Specification since the first version of it (CSP Level 1).
Internet Explorer 11 and below do not support the CSP
object-src directive. This means that IE11 will simply ignore the policy and continue to load object or embed tags including Flash, Java, ActiveX, etc.
Advisory Week is a weekly roundup of all the security advisories published by the major software vendors.