Make Content-Security-Policy disallow 'object-src' by default

Ref h5bp/server-configs-apache#190
h5bp · Jun 28, 2021 · 8600df1 · 8600df1
1 parent b9ef881
commit 8600df1
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/nginx.conf b/nginx.conf
@@ -105,7 +105,7 @@ http {
   # Add Content-Security-Policy for HTML documents.
   # h5bp/security/content-security-policy.conf
   map $sent_http_content_type $content_security_policy {
-    ~*text/(html|javascript)|application/pdf|xml "default-src 'self'; base-uri 'none'; form-action 'self'; frame-ancestors 'none'; upgrade-insecure-requests";
+    ~*text/(html|javascript)|application/pdf|xml "default-src 'self'; base-uri 'none'; form-action 'self'; frame-ancestors 'none'; object-src 'none'; upgrade-insecure-requests";
   }
 
   # Add Referrer-Policy for HTML documents.