Missing object-src and missing base-uri
Bexy-Lyn opened this issue · 1 comments
Hey, first of all thanks for the package! I am new to CSP, so this is helping me a lot.
But after including the meta-tag in my head, I still get high severity warnings in Google Lighthouse for not having it set up correctly...
Missing object-src allows the injection of plugins that execute unsafe scripts. Consider setting object-src to 'none' if you can.
Directive: object-src
Severity: High
Missing base-uri allows injected tags to set the base URL for all relative URLs (e.g. scripts) to an attacker controlled domain. Consider setting base-uri to 'none' or 'self'.
Directive: base-uri
Severity: High
Am I supposed to add them manually? Or is this behaviour intended?
Thanks in advance!
Hi @Bexy-Lyn,
It sounds like a bad integration somewhere. Did you followed the integration (installation) instructions for Basic Usage here?: https://github.com/guydumais/next-strict-csp#basic-usage
Also, if you're using inline scripts you should do it using the Advanced Method.
Also, a code snippet of your current integration would be very helpful in identifying your issue.