The HTTP Content-Security-Policy object-src directive specifies valid sources for the
<applet>elements.To set allowed types for
<applet>elements, use the plugin-types directive. Elements controlled by object-src are perhaps coincidentally considered legacy HTML elements and aren’t receiving new standardized features (such as the security attributes sandbox or allow for
<iframe>). Therefore it is recommended to restrict this fetch-directive (e.g. explicitly set object-src ‘none’ if possible).