object-src

Default Attribute
 
Policy Description
The HTTP Content-Security-Policy object-src directive specifies valid sources for the <object><embed>, and <applet> elements.To set allowed types for <object><embed>, and <applet> elements, use the plugin-types directive. Elements controlled by object-src are perhaps coincidentally considered legacy HTML elements and aren’t receiving new standardized features (such as the security attributes sandbox or allow for <iframe>). Therefore it is recommended to restrict this fetch-directive (e.g. explicitly set object-src ‘none’ if possible).