object-src set to none
Why it matters
Flash, Java applets, and Silverlight plugins are extinct on the modern web but remain active attack vectors in browser contexts that don't block <object> and <embed> elements. Without object-src 'none', an injected <object> tag pointing to an attacker-controlled resource can execute plugin code with elevated privileges. CWE-693 (Protection Mechanism Failure) applies — the CSP is in place but fails to close a historically exploited resource category. OWASP A05 (Security Misconfiguration) flags unblocked plugin resources as a legacy misconfiguration that persists long after the actual plugin threat has been neutralized at the browser level.
Severity rationale
Low because modern browsers no longer support most plugins by default, but an explicit `object-src 'none'` is a zero-cost hardening step that eliminates a historically exploited attack surface.
Remediation
Add object-src 'none' explicitly to your CSP. No modern web application needs <object>, <embed>, or <applet> elements, so this directive should never require exceptions.
Content-Security-Policy: default-src 'none'; script-src 'nonce-{perRequest}' 'strict-dynamic'; object-src 'none'
Note: object-src does not fall back to default-src in all browsers — set it explicitly even when default-src 'none' is already configured. If your default-src is already 'none' and you verify object-src is not overridden elsewhere, you are covered, but explicit beats implicit for security-critical directives.
Detection
-
ID:
object-src-none -
Severity:
low -
What to look for: Parse the CSP header for the
object-srcdirective. Also checkdefault-src. Plugins (Flash, Java applets, Silverlight) are legacy attack vectors that should be completely blocked. -
Pass criteria:
object-srcis set to'none', ORdefault-srcis'none'and noobject-srcoverride exists (default-src fallback covers it). Count all sources in object-src (no more than 1 allowed:'none') and quote the actual object-src and default-src values in the report. -
Fail criteria:
object-srcis not set to'none'anddefault-srcdoes not restrict it to'none'. -
Skip (N/A) when: No Content-Security-Policy header configured. Run Security Headers & Basics first.
-
Detail on fail:
"object-src not restricted to 'none' — plugin-based attack vectors (Flash, Java applets) not blocked"or"object-src inherits from permissive default-src — should be explicitly set to 'none'" -
Remediation: No modern web application needs
<object>,<embed>, or<applet>elements. Block them entirely:object-src 'none'If
default-srcis already'none', this is covered automatically — but explicit is better than implicit for security-critical directives.
External references
- cwe · CWE-693
- owasp:2021 · A05
Taxons
History
- 2026-04-18·v1.0.0·Initial import from security-headers-ii·automated