object-src
Content-Security-Policy Fetch

Overview

object-src controls the sources of plugin content loaded via <object>, <embed> (and legacy <applet>). When omitted it inherits from default-src. On the modern web, setting it to 'none' to fully block plugins is almost always best practice.

Details

Plugins like Flash, Java, and Silverlight were long a source of severe execution vulnerabilities, and <object>/<embed> can be abused to execute scripts or bypass CSP. Most sites need no such legacy plugins, so explicitly setting object-src 'none' eliminates the attack vector at the source. Google's strict-CSP recommendation lists object-src 'none' alongside a nonce-based script-src and base-uri 'self' as one of the three essentials.

Although object-src does fall back to default-src, if your policy keeps default-src generous, it is safer to pin object-src 'none' separately. The plugin-types directive that once restricted plugin MIME types is deprecated, so consolidate control under object-src.

Syntax

Content-Security-Policy: object-src 'none'

Notes

Related directives