Content Security Policy (CSP)
Quick Reference Guide

The CSP object-src Directive

The object-src Content Security Policy (CSP) directive specifies the valid sources for the <object> and <embed> elements. This includes browser plugin features such as Flash, Java, and ActiveX controls.

The object or embed tags are used less and less in modern web applications. In many cases such tags open an hole for exploitation, for example if an attacker can exploit a bug in the flash player plugin or the java runtime environment (JRE).

We can use Content-Security-Policy to block all loading of these resources, or to only allow loading them from trusted sources.

Block loading of Flash, Java or ActiveX with CSP

The most common use of the object-src CSP directive is to block the loading of browser plugins such as Java, Flash or ActiveX. This can be accomplished using the 'none' source list value, for example:

Content-Security-Policy: object-src 'none';

The plugin-types Directive

The plugin-types directive is a non standard / deprecated directive that lets you allow a certain mime type of plugin. The use case here is if you for example wanted to allow java plugins to run, but prevent flash, and everything else.

Does object-src inherit from default-src?

If you do not specify a object-src directive, but do specify a default-src directive then the value of the default-src directive is used.

If you specify both a object-src and a default-src directive then the object-src takes precedence.

What is the difference between object-src and script-src in CSP?

The CSP script-src controls the loading of scripts, such as javascript or the script tag, while the object-src directive pertains only to tags such as <object> and <embed>.

Browser Support for object-src

CSP Level 1

Supported On:

Chrome 25+ (2013)
Firefox 23+ (2013)
Safari 7+ (2013)
Edge 12+ (2015)

Not Supported On:

Internet Explorer

The CSP object-src directive has been part of the Content Security Policy Specification since the first version of it (CSP Level 1).

Internet Explorer 11 and below do not support the CSP object-src directive. This means that IE11 will simply ignore the policy and continue to load object or embed tags including Flash, Java, ActiveX, etc.

CSP Developer Field Guide

CSP Developer Field Guide

Want to learn the ins and outs CSP? Grab a copy of the CSP Developer Field Guide. It's a short and sweet guide to help developers get up to speed quickly.

Grab a Copy

Struggling to stay on top of security advisories?

Advisory Week is a weekly roundup of all the security advisories published by the major software vendors.