Object sources are restricted

ab-001326 · extension-permissions-security.content-security-policy.object-src-none

Severity: highactive

Why it matters

CWE-693 (Protection Mechanism Failure) captures the gap: an extension that restricts script-src but omits object-src still allows <object>, <embed>, and <applet> tags to load arbitrary plugins. Although Flash is dead, the attack vector persists because object-src defaulting to default-src is exploitable when default-src is permissive. OWASP A05 (Security Misconfiguration) applies: a CSP that looks correct but has an unconstrained fallback is misconfigured. Chrome's own CSP documentation explicitly recommends object-src 'none' as part of the minimal safe CSP for extension pages.

Severity rationale

High because a missing explicit `object-src` directive allows plugin-based content injection via `<object>` and `<embed>` tags, bypassing an otherwise hardened `script-src` policy.

Remediation

Add object-src 'none' explicitly to your extension pages CSP in manifest.json — do not rely on default-src fallback.

"content_security_policy": {
  "extension_pages": "script-src 'self'; object-src 'none';"
}

Pair this with script-src 'self' so both directives are explicit. Auditors and the Chrome Web Store review team will flag any CSP where object-src is missing or permissive.

Detection

ID: object-src-none
Severity: high
What to look for: Quote the object-src directive from the CSP in manifest.json. Enumerate all CSP directives present and check whether object-src is explicitly set to 'none' to block plugin-based content (Flash, Java applets).
Pass criteria: object-src is explicitly set to 'none' in the CSP. Quote the actual directive value found. At least 1 explicit object-src directive must be present — relying on default-src fallback alone is not sufficient for this check.
Fail criteria: object-src is missing (falls back to default) or set to allow sources.
Skip (N/A) when: Never — plugins are obsolete and dangerous.
Detail on fail: "CSP does not restrict object-src to 'none'."
Remediation: Flash and other plugins are obsolete and dangerous. Explicitly block them in manifest.json:
```
"content_security_policy": { "extension_pages": "script-src 'self'; object-src 'none';" }
```
Cross-reference: For script source restrictions that complement object-src, see the script-src-safe check in this category.

External references

cwe · CWE-693 — Protection Mechanism Failure
owasp:2021 · A05
external · chrome-csp-object-src — Chrome Extensions: CSP object-src

Taxons

injection-and-input-trust

History

2026-04-18·v1.0.0·Initial import from extension-permissions-security·automated

Why it matters

Remediation

Add object-src 'none' explicitly to your extension pages CSP in manifest.json — do not rely on default-src fallback.

"content_security_policy": {
  "extension_pages": "script-src 'self'; object-src 'none';"
}

Pair this with script-src 'self' so both directives are explicit. Auditors and the Chrome Web Store review team will flag any CSP where object-src is missing or permissive.

Detection

ID: object-src-none
Severity: high
What to look for: Quote the object-src directive from the CSP in manifest.json. Enumerate all CSP directives present and check whether object-src is explicitly set to 'none' to block plugin-based content (Flash, Java applets).
Pass criteria: object-src is explicitly set to 'none' in the CSP. Quote the actual directive value found. At least 1 explicit object-src directive must be present — relying on default-src fallback alone is not sufficient for this check.
Fail criteria: object-src is missing (falls back to default) or set to allow sources.
Skip (N/A) when: Never — plugins are obsolete and dangerous.
Detail on fail: "CSP does not restrict object-src to 'none'."
Remediation: Flash and other plugins are obsolete and dangerous. Explicitly block them in manifest.json:
```
"content_security_policy": { "extension_pages": "script-src 'self'; object-src 'none';" }
```
Cross-reference: For script source restrictions that complement object-src, see the script-src-safe check in this category.