guydumais/next-strict-csp

Missing object-src and missing base-uri

Bexy-Lyn opened this issue · 1 comments

Hey, first of all thanks for the package! I am new to CSP, so this is helping me a lot.
But after including the meta-tag in my head, I still get high severity warnings in Google Lighthouse for not having it set up correctly...

Missing object-src allows the injection of plugins that execute unsafe scripts. Consider setting object-src to 'none' if you can.
Directive: object-src
Severity: High

Missing base-uri allows injected tags to set the base URL for all relative URLs (e.g. scripts) to an attacker controlled domain. Consider setting base-uri to 'none' or 'self'.
Directive: base-uri
Severity: High

Am I supposed to add them manually? Or is this behaviour intended?

Thanks in advance!

Hi @Bexy-Lyn,

It sounds like a bad integration somewhere. Did you followed the integration (installation) instructions for Basic Usage here?: https://github.com/guydumais/next-strict-csp#basic-usage

Also, if you're using inline scripts you should do it using the Advanced Method.

Also, a code snippet of your current integration would be very helpful in identifying your issue.