Add object-src CSP directive

ZoneMinder · Feb 20, 2023 · 4637eaf · 4637eaf
1 parent 3406d15
commit 4637eaf
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/web/includes/functions.php b/web/includes/functions.php
@@ -55,7 +55,7 @@ function CSPHeaders($view, $nonce) {
       // fall through
     default:
       // Enforce script-src on pages where inline scripts and event handlers have been fixed.
-      header("Content-Security-Policy: script-src 'self' 'nonce-$nonce' $additionalScriptSrc".
+      header("Content-Security-Policy: script-src 'self' object-src 'self' 'nonce-$nonce' $additionalScriptSrc".
         (ZM_CSP_REPORT_URI ? '; report-uri '.ZM_CSP_REPORT_URI : '' )
       );
       break;