Default Attribute
Ā
Policy Description
The HTTP Content-Security-Policy object-src directive specifies valid sources for theĀ <object>
,Ā <embed>
, andĀ <applet>
Ā elements.To set allowed types forĀ <object>
,Ā <embed>
, andĀ <applet>
Ā elements, use the plugin-types directive. Elements controlled by object-src are perhaps coincidentally considered legacy HTML elements and arenāt receiving new standardized features (such as the security attributes sandbox or allow forĀ <iframe>
). Therefore it is recommended to restrict this fetch-directive (e.g. explicitly set object-src ānoneā if possible).