fix(csp): flag wildcard and bare-scheme sources in object-src#84
Open
dmchaledev wants to merge 1 commit into
Open
fix(csp): flag wildcard and bare-scheme sources in object-src#84dmchaledev wants to merge 1 commit into
dmchaledev wants to merge 1 commit into
Conversation
object-src was missing from the list of sensitive fetch directives that are checked for wildcard (*) and bare-scheme (e.g. https:) sources. A policy like `default-src 'self'; object-src *` would silently pass the wildcard check while allowing plugins to be loaded from any origin — a known attack vector for Flash/Java-based exploits. Adds three test cases: wildcard in object-src, bare scheme in object-src, and a negative case confirming object-src 'none' is not flagged. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_015FdvhyE9g4Z7mtnoWxaziR
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
checkCSPchecked six directives for wildcard (*) and bare-scheme (e.g.https:) sources:object-srcwas absent. That means a policy like:would pass the analyzer's wildcard check cleanly, even though
object-src *allows loading plugins (Flash, Java applets, PDF viewers) from any origin — a well-documented attack vector historically exploited for arbitrary code execution.Fix
Add
object-srcto thewildcardDirectivesarray. The existingisPermissiveSourcehelper correctly flags*and bare schemes, so no other logic changes are needed.Tests added
Three new cases in
test/analyzer.test.ts:object-src *object-src https:object-src 'none'All 88 tests pass.
Why this matters
The security community broadly recommends
object-src 'none'as a baseline CSP hardening step (Google CSP evaluator, OWASP CSP cheat sheet). Without this check, the analyzer gives a false sense of security to sites that restrictdefault-srcbut leaveobject-srcopen.🤖 Generated with Claude Code
https://claude.ai/code/session_015FdvhyE9g4Z7mtnoWxaziR
Generated by Claude Code