Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Content-Security-Policy disallow 'object-src' by default #190

Closed
Malvoz opened this issue May 6, 2019 · 0 comments · Fixed by #271
Closed

Content-Security-Policy disallow 'object-src' by default #190

Malvoz opened this issue May 6, 2019 · 0 comments · Fixed by #271
Labels
awaiting feedback Further information is requested enhancement New feature or request

Comments

@Malvoz
Copy link
Contributor

Malvoz commented May 6, 2019
edited
Loading

Google's csp-evaluator is complaining whenever the fetch-directive object-src is missing (unless default-src is 'none', which is rarely done in the wild). I reported this to webhint aswell.

object-src, per the spec, "acts upon any request made on behalf of an <object>, <embed>, or <applet> element" and can be used to allow plugin-types such as application/x-shockwave-flash (also, this directive may be removed from the web platform).

These elements are largely considered legacy elements that do not recieve new standardized security features such as (<iframe>) sandbox or allow attributes.

The recommendation is documented in https://csp.withgoogle.com/docs/strict-csp.html, and https://csp.withgoogle.com/docs/faq.html#comparison:

Since setting directives other than script-src and object-src doesn't increase the protection against cross-site scripting, and it adds adoption and maintenance costs of CSP, we believe most applications should focus on deploying the baseline strict policy as the most high-impact improvement.

I don't have knowledge of how common it is or which other types of plugins may be used. I think people use <object> to embed PDFs etc. However, I don't think developers implementing a CSP today is still using these legacy elements.

WDYT?
@LeoColomb LeoColomb added awaiting feedback Further information is requested enhancement New feature or request labels May 6, 2019
@Malvoz Malvoz mentioned this issue May 27, 2019
Closed
@LeoColomb LeoColomb changed the title [CSP] disallow 'object-src' by default? Content Security Policy disallow 'object-src' by default Jan 3, 2020
@LeoColomb LeoColomb changed the title Content Security Policy disallow 'object-src' by default Content-Security-Policy disallow 'object-src' by default Jan 3, 2020
LeoColomb added a commit that referenced this issue Jun 14, 2021
@LeoColomb
Make Content-Security-Policy disallow 'object-src' by default
f273c53 
Closes #190
@LeoColomb LeoColomb linked a pull request Jun 14, 2021 that will close this issue
Refresh security policies headers #271
Merged
5 tasks
LeoColomb added a commit that referenced this issue Jun 14, 2021
@LeoColomb
Make Content-Security-Policy disallow 'object-src' by default
537f23d 
Closes #190
@LeoColomb LeoColomb mentioned this issue Jun 14, 2021
Merged
5 tasks
LeoColomb added a commit that referenced this issue Jun 14, 2021
@LeoColomb
Make Content-Security-Policy disallow 'object-src' by default
a84488e 
Closes #190
LeoColomb added a commit that referenced this issue Jun 24, 2021
@LeoColomb
Make Content-Security-Policy disallow 'object-src' by default
f993710 
Closes #190
LeoColomb added a commit to h5bp/server-configs-nginx that referenced this issue Jun 28, 2021
@LeoColomb
Make Content-Security-Policy disallow 'object-src' by default
8600df1 
Ref h5bp/server-configs-apache#190
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
awaiting feedback Further information is requested enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Refresh security policies headers h5bp/server-configs-apache
2 participants
@LeoColomb @Malvoz