Add commit from QEDK

wntrblm · Jun 8, 2021 · cd96f6e · cd96f6e
1 parent 278b0e9
commit cd96f6e
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 2 deletions.
diff --git a/flask_talisman/talisman.py b/flask_talisman/talisman.py
@@ -26,6 +26,7 @@
 
 DEFAULT_CSP_POLICY = {
     'default-src': '\'self\'',
+    'object-src': '\'none\'',
 }
 
 GOOGLE_CSP_POLICY = {
@@ -39,6 +40,7 @@
     # Used by generated code from http://www.google.com/fonts
     'style-src': '\'self\' ajax.googleapis.com fonts.googleapis.com '
                  '*.gstatic.com',
+    'object-src': '\'none\'',
     'default-src': '\'self\' *.gstatic.com',
 }
 

diff --git a/flask_talisman/talisman_test.py b/flask_talisman/talisman_test.py
@@ -54,7 +54,7 @@ def testDefaults(self):
             'max-age=31556926; includeSubDomains',
             'X-XSS-Protection': '1; mode=block',
             'X-Content-Type-Options': 'nosniff',
-            'Content-Security-Policy': 'default-src \'self\'',
+            'Content-Security-Policy': 'default-src \'self\'; object-src \'none\'',
             'Referrer-Policy': 'strict-origin-when-cross-origin'
         }
 
@@ -134,7 +134,7 @@ def testContentSecurityPolicyOptions(self):
         self.talisman.content_security_policy['image-src'] = '*'
         response = self.client.get('/', environ_overrides=HTTPS_ENVIRON)
         csp = response.headers['Content-Security-Policy']
-        self.assertEqual(csp, "default-src 'self'; image-src *")
+        self.assertEqual(csp, "default-src 'self'; object-src \'none\'; image-src *")
 
         self.talisman.content_security_policy['image-src'] = [
             '\'self\'',