The HTTP {{HTTPHeader("Content-Security-Policy")}} object
-src
directive specifies valid sources for the {{HTMLElement("object")}}, {{HTMLElement("embed")}}, and {{HTMLElement("applet")}} elements.
To set allowed types for {{HTMLElement("object")}}, {{HTMLElement("embed")}}, and {{HTMLElement("applet")}} elements, use the {{CSP("plugin-types")}} directive.
CSP version | 1 |
---|---|
Directive type | {{Glossary("Fetch directive")}} |
{{CSP("default-src")}} fallback | Yes. If this directive is absent, the user agent will look for the default-src directive. |
Syntax
One or more sources can be allowed for the object-src policy:
Content-Security-Policy: object-src <source>; Content-Security-Policy: object-src <source> <source>;
Sources
{{page("Web/HTTP/Headers/Content-Security-Policy/default-src", "Sources")}}
Examples
Violation cases
Given this CSP header:
Content-Security-Policy: object-src https://example.com/
The following {{HTMLElement("object")}}, {{HTMLElement("embed")}}, and {{HTMLElement("applet")}} elements are blocked and won't load:
<embed src="https://not-example.com/flash"></embed> <object data="https://not-example.com/plugin"></object> <applet archive="https://not-example.com/java"></applet>
Specifications
Specification | Status | Comment |
---|---|---|
{{specName("CSP 3.0", "#directive-object-src", "object-src")}} | {{Spec2('CSP 3.0')}} | No changes. |
{{specName("CSP 1.1", "#directive-object-src", "object-src")}} | {{Spec2('CSP 1.1')}} | Initial definition. |
Browser compatibility
The compatibility table in this page is generated from structured data. If you'd like to contribute to the data, please check out https://github.com/mdn/browser-compat-data and send us a pull request.
{{Compat}}
See also
- {{HTTPHeader("Content-Security-Policy")}}
- {{HTMLElement("object")}}, {{HTMLElement("embed")}}, and {{HTMLElement("applet")}}
- {{CSP("plugin-types")}}