fix(csp): flag object-src wildcard as a high-risk misconfiguration#52
Open
dmchaledev wants to merge 1 commit into
Open
fix(csp): flag object-src wildcard as a high-risk misconfiguration#52dmchaledev wants to merge 1 commit into
dmchaledev wants to merge 1 commit into
Conversation
object-src * allows unrestricted plugin content (Flash, Java, ActiveX) that can execute scripts and bypass CSP. It was silently omitted from the wildcard-directive check, so a policy like: default-src 'self'; script-src 'self'; object-src * scored 20/30 — a perfect CSP score — despite the critical gap. Adds object-src to wildcardDirectives and a matching test case. https://claude.ai/code/session_01XNrf9CDh8K2SLvH7U5rPPs
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
object-src *allows unrestricted plugin content (Flash, Java, ActiveX) that can execute scripts and fully bypass CSP — it is listed in the CSP spec as one of the directives that must be restricted to prevent script injection.object-srcwas missing from thewildcardDirectiveslist incheckCSP, so a policy likedefault-src 'self'; script-src 'self'; object-src *silently scored 20/30 — a perfect CSP score — while leaving a critical gap.object-srctowildcardDirectivesalongsidescript-src,connect-src, etc.Repro (before fix)
After fix
// score: 15, findings: ["Wildcard (*) source in object-src allows any origin"]Test plan
detects wildcard in object-srcadded totest/analyzer.test.tsnpm test)object-srcdirectivehttps://claude.ai/code/session_01XNrf9CDh8K2SLvH7U5rPPs
Generated by Claude Code