Flash, Java applets, and Silverlight plugins are extinct on the modern web but remain active attack vectors in browser contexts that don't block <object> and <embed> elements. Without object-src 'none', an injected <object> tag pointing to an attacker-controlled resource can execute plugin code with elevated privileges. CWE-693 (Protection Mechanism Failure) applies — the CSP is in place but fails to close a historically exploited resource category. OWASP A05 (Security Misconfiguration) flags unblocked plugin resources as a legacy misconfiguration that persists long after the actual plugin threat has been neutralized at the browser level.
Low because modern browsers no longer support most plugins by default, but an explicit `object-src 'none'` is a zero-cost hardening step that eliminates a historically exploited attack surface.
Add object-src 'none' explicitly to your CSP. No modern web application needs <object>, <embed>, or <applet> elements, so this directive should never require exceptions.
Content-Security-Policy: default-src 'none'; script-src 'nonce-{perRequest}' 'strict-dynamic'; object-src 'none'
Note: object-src does not fall back to default-src in all browsers — set it explicitly even when default-src 'none' is already configured. If your default-src is already 'none' and you verify object-src is not overridden elsewhere, you are covered, but explicit beats implicit for security-critical directives.
ID: security-headers-ii.csp-quality.object-src-none
Severity: low
What to look for: Parse the CSP header for the object-src directive. Also check default-src. Plugins (Flash, Java applets, Silverlight) are legacy attack vectors that should be completely blocked.
Pass criteria: object-src is set to 'none', OR default-src is 'none' and no object-src override exists (default-src fallback covers it). Count all sources in object-src (no more than 1 allowed: 'none') and quote the actual object-src and default-src values in the report.
Fail criteria: object-src is not set to 'none' and default-src does not restrict it to 'none'.
Skip (N/A) when: No Content-Security-Policy header configured. Run Security Headers & Basics first.
Detail on fail: "object-src not restricted to 'none' — plugin-based attack vectors (Flash, Java applets) not blocked" or "object-src inherits from permissive default-src — should be explicitly set to 'none'"
Remediation: No modern web application needs <object>, <embed>, or <applet> elements. Block them entirely:
object-src 'none'
If default-src is already 'none', this is covered automatically — but explicit is better than implicit for security-critical directives.