title: "CSP: object-src"
slug: Web/HTTP/Headers/Content-Security-Policy/object-src
browser-compat: http.headers.Content-Security-Policy.object-src

{{HTTPSidebar}}

The HTTP {{HTTPHeader("Content-Security-Policy")}} object-src directive specifies valid sources for the {{HTMLElement("object")}}, {{HTMLElement("embed")}}, and {{HTMLElement("applet")}} elements.

To set allowed types for {{HTMLElement("object")}}, {{HTMLElement("embed")}}, and {{HTMLElement("applet")}} elements, use the {{CSP("plugin-types")}} directive.

Note: Elements controlled by object-src are perhaps coincidentally considered legacy HTML elements and aren't receiving new standardized features (such as the security attributes sandbox or allow for <iframe>). Therefore it is recommended to restrict this fetch-directive (e.g. explicitly set object-src 'none' if possible).

Syntax

One or more sources can be allowed for the object-src policy:

Content-Security-Policy: object-src <source>;
Content-Security-Policy: object-src <source> <source>;

Sources

<source> can be any one of the values listed in CSP Source Values.

Note that this same set of values can be used in all {{Glossary("fetch directive", "fetch directives")}} (and a number of other directives).

Examples

Violation cases

Given this CSP header:

Content-Security-Policy: object-src https://example.com/

The following {{HTMLElement("object")}}, {{HTMLElement("embed")}}, and {{HTMLElement("applet")}} elements are blocked and won't load:

<embed src="https://not-example.com/flash"></embed>
<object data="https://not-example.com/plugin"></object>
<applet archive="https://not-example.com/java"></applet>

Specifications

{{Specifications}}

Browser compatibility

{{Compat}}

See also

• {{HTTPHeader("Content-Security-Policy")}}

• {{HTMLElement("object")}}, {{HTMLElement("embed")}}, and {{HTMLElement("applet")}}

• {{CSP("plugin-types")}}