object-src [missing] - Githubissues

From MDN

Elements controlled by object-src are perhaps coincidentally considered legacy HTML elements and aren't receiving new standardized features (such as the security attributes sandbox or allow for ). Therefore it is recommended to restrict this fetch-directive (e.g. explicitly set object-src 'none' if possible).</p> </blockquote> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/lweichselbaum"><img src="https://avatars.githubusercontent.com/u/13779502?v=4" />lweichselbaum</a> commented <strong> 4 years ago</strong> </div> <div class="markdown-body"> <p>Ideally you'd set <code>object-src</code> to <code>'none'</code>. Also please note that the CSP you pasted can be bypassed in several ways (AngularJS and jsonp endpoints hosted on the domains you're allowing in <code>script-src</code>)</p> </div> </div> <div class="page-bar-simple"> </div> <div class="footer"> <ul class="body"> <li>© <script> document.write(new Date().getFullYear()) </script> Githubissues.</li> <li>Githubissues is a development platform for aggregating issues.</li> </ul> </div> <script src="https://cdn.jsdelivr.net/npm/jquery@3.5.1/dist/jquery.min.js"></script> <script src="/githubissues/assets/js.js"></script> <script src="/githubissues/assets/markdown.js"></script> <script src="https://cdn.jsdelivr.net/gh/highlightjs/cdn-release@11.4.0/build/highlight.min.js"></script> <script src="https://cdn.jsdelivr.net/gh/highlightjs/cdn-release@11.4.0/build/languages/go.min.js"></script> <script> hljs.highlightAll(); </script> </body> </html>

google / csp-evaluator

object-src [missing] #20