Skip to main content

Object sources are restricted

ab-001326 · extension-permissions-security.content-security-policy.object-src-none
Severity: highactive

Why it matters

CWE-693 (Protection Mechanism Failure) captures the gap: an extension that restricts script-src but omits object-src still allows <object>, <embed>, and <applet> tags to load arbitrary plugins. Although Flash is dead, the attack vector persists because object-src defaulting to default-src is exploitable when default-src is permissive. OWASP A05 (Security Misconfiguration) applies: a CSP that looks correct but has an unconstrained fallback is misconfigured. Chrome's own CSP documentation explicitly recommends object-src 'none' as part of the minimal safe CSP for extension pages.

Severity rationale

High because a missing explicit `object-src` directive allows plugin-based content injection via `<object>` and `<embed>` tags, bypassing an otherwise hardened `script-src` policy.

Remediation

Add object-src 'none' explicitly to your extension pages CSP in manifest.json — do not rely on default-src fallback.

"content_security_policy": {
  "extension_pages": "script-src 'self'; object-src 'none';"
}

Pair this with script-src 'self' so both directives are explicit. Auditors and the Chrome Web Store review team will flag any CSP where object-src is missing or permissive.

Detection

  • ID: extension-permissions-security.content-security-policy.object-src-none

  • Severity: high

  • What to look for: Quote the object-src directive from the CSP in manifest.json. Enumerate all CSP directives present and check whether object-src is explicitly set to 'none' to block plugin-based content (Flash, Java applets).

  • Pass criteria: object-src is explicitly set to 'none' in the CSP. Quote the actual directive value found. At least 1 explicit object-src directive must be present — relying on default-src fallback alone is not sufficient for this check.

  • Fail criteria: object-src is missing (falls back to default) or set to allow sources.

  • Skip (N/A) when: Never — plugins are obsolete and dangerous.

  • Detail on fail: "CSP does not restrict object-src to 'none'."

  • Remediation: Flash and other plugins are obsolete and dangerous. Explicitly block them in manifest.json:

    "content_security_policy": { "extension_pages": "script-src 'self'; object-src 'none';" }

  • Cross-reference: For script source restrictions that complement object-src, see the script-src-safe check in this category.

External references

Taxons

injection-and-input-trust

History