Directive: object src

Overview

The object-src directive specifies valid sources for the <object>, <embed>, and <applet> elements. This was originally paired with plugin-types to determine which media types (née mime types) were permitted.

As of 2023, no browser supports traditional plugins anymore (browser "extensions" are a completely different thing). However, browsers continue have support for the PDF format, which used to require a plugin. If PDF files can be displayed inline then application/pdf and text/pdf content is allowed, as per the HTML specification.

Caution

Elements controlled by object-src are perhaps coincidentally considered legacy HTML elements and aren't receiving new standardized features (such as the security attributes sandbox or allow for <iframe>). Therefore it is recommended to restrict this by explicitly setting object-src 'none'.

Affects: <object>; <embed>; <applet>

Required reading:

• Can I use object-src?
• MDN Web Docs reference

Usage examples

Accepts one or more schemes or hosts, the 'self' keyword, or the 'none' keyword.

object-src 'none'

object-src 'self'

object-src example.com

object-src example.com example.org

object-src https://*.example.com

object-src https:

Fallbacks

✅ object-src will fallback to default-src if it is undefined.

• default-src
  • object-src

Possible errors

• CSP-0100 — [ERROR] directive %s has an invalid value %s

For developers

ABNF (CSP3)

directive-name  = "object-src"
directive-value = serialized-source-list

See ABNF: serialized-source-list

Type

• source-list in CSP2
• serialized-source-list in CSP3

References

• CSP Level 2 reference
• CSP Level 3 reference
• MDN Web Docs reference
• Can I use object-src?