Revision 1141009 of CSP: object-src

  • Revision slug: Web/HTTP/Headers/Content-Security-Policy/object-src
  • Revision title: Content-Security-Policy: object-src
  • Revision id: 1141009
  • Created:
  • Creator: fscholz
  • Is current revision? No
  • Comment new page
Tags: 

Revision Content
{{HTTPSidebar}}

The HTTP {{HTTPHeader("Content-Security-Policy")}} object-src directive specifies valid sources for the {{HTMLElement("object")}}, {{HTMLElement("embed")}}, and {{HTMLElement("applet")}} elements.

To set allowed types for {{HTMLElement("object")}}, {{HTMLElement("embed")}}, and {{HTMLElement("applet")}} elements, use the {{CSP("plugin-types")}} directive.

CSP version 1
Directive type {{Glossary("Fetch directive")}}
{{CSP("default-src")}} fallback Yes. If this directive is absent, the user agent will look for the default-src directive.

Syntax

One or more sources can be allowed for the object-src policy:

Content-Security-Policy: object-src <source>;
Content-Security-Policy: object-src <source> <source>;

Sources

{{page("Web/HTTP/Headers/Content-Security-Policy/default-src", "Sources")}}

Examples

Violation cases

Given this CSP header:

Content-Security-Policy: object-src https://example.com/

The following {{HTMLElement("object")}}, {{HTMLElement("embed")}}, and {{HTMLElement("applet")}} elements are blocked and won't load:

<embed src="https://not-example.com/flash"></embed>
<object data="https://not-example.com/plugin"></object> 
<applet archive="https://not-example.com/java"></applet>

Specifications

Specification Status Comment
{{specName("CSP 3.0", "#directive-object-src", "object-src")}} {{Spec2('CSP 3.0')}} No changes.
{{specName("CSP 1.1", "#directive-object-src", "object-src")}} {{Spec2('CSP 1.1')}} Initial definition.

Browser compatibility

{{Compat}}

See also

  • {{HTTPHeader("Content-Security-Policy")}}
  • {{HTMLElement("object")}}, {{HTMLElement("embed")}}, and {{HTMLElement("applet")}}
  • {{CSP("plugin-types")}}

Revision Source

 
<div>{{HTTPSidebar}}</div>

<p>The HTTP {{HTTPHeader("Content-Security-Policy")}} <code><strong>object</strong></code><strong><code>-src</code></strong> directive specifies valid sources for the {{HTMLElement("object")}}, {{HTMLElement("embed")}}, and {{HTMLElement("applet")}} elements.</p>

<p>To set allowed types for {{HTMLElement("object")}}, {{HTMLElement("embed")}}, and {{HTMLElement("applet")}} elements, use the {{CSP("plugin-types")}} directive.</p>

<table class="properties">
 <tbody>
  <tr>
   <th scope="row">CSP version</th>
   <td>1</td>
  </tr>
  <tr>
   <th scope="row">Directive type</th>
   <td>{{Glossary("Fetch directive")}}</td>
  </tr>
  <tr>
   <th scope="row">{{CSP("default-src")}} fallback</th>
   <td>Yes. If this directive is absent, the user agent will look for the <code>default-src</code> directive.</td>
  </tr>
 </tbody>
</table>

<h2 id="Syntax">Syntax</h2>

<p>One or more sources can be allowed for the object-src policy:</p>

<pre class="syntaxbox">
Content-Security-Policy: object-src &lt;source&gt;;
Content-Security-Policy: object-src &lt;source&gt; &lt;source&gt;;
</pre>

<h3 id="Sources">Sources</h3>

<p>{{page("Web/HTTP/Headers/Content-Security-Policy/default-src", "Sources")}}</p>

<h2 id="Examples">Examples</h2>

<h3 id="Violation_cases">Violation cases</h3>

<p>Given this CSP header:</p>

<pre class="brush: bash">
Content-Security-Policy: object-src https://example.com/</pre>

<p>The following {{HTMLElement("object")}}, {{HTMLElement("embed")}}, and {{HTMLElement("applet")}} elements are blocked and won't load:</p>

<pre class="brush: html">
&lt;embed src="https://not-example.com/flash"&gt;&lt;/embed&gt;
&lt;object data="https://not-example.com/plugin"&gt;&lt;/object&gt; 
&lt;applet archive="https://not-example.com/java"&gt;&lt;/applet&gt;</pre>

<h2 id="Specifications">Specifications</h2>

<table class="standard-table">
 <tbody>
  <tr>
   <th scope="col">Specification</th>
   <th scope="col">Status</th>
   <th scope="col">Comment</th>
  </tr>
  <tr>
   <td>{{specName("CSP 3.0", "#directive-object-src", "object-src")}}</td>
   <td>{{Spec2('CSP 3.0')}}</td>
   <td>No changes.</td>
  </tr>
  <tr>
   <td>{{specName("CSP 1.1", "#directive-object-src", "object-src")}}</td>
   <td>{{Spec2('CSP 1.1')}}</td>
   <td>Initial definition.</td>
  </tr>
 </tbody>
</table>

<h2 id="Browser_compatibility">Browser compatibility</h2>

<p class="hidden">The compatibility table in this page is generated from structured data. If you'd like to contribute to the data, please check out <a href="https://github.com/mdn/browser-compat-data">https://github.com/mdn/browser-compat-data</a> and send us a pull request.</p>

<p>{{Compat}}</p>

<h2 id="See_also">See also</h2>

<ul>
 <li>{{HTTPHeader("Content-Security-Policy")}}</li>
 <li>{{HTMLElement("object")}}, {{HTMLElement("embed")}}, and {{HTMLElement("applet")}}</li>
 <li>{{CSP("plugin-types")}}</li>
</ul>
Revert to this revision