next-strict-csp icon indicating copy to clipboard operation
next-strict-csp copied to clipboard
verified publisher icon guydumais

Missing object-src and missing base-uri

Open Bexy-Lyn opened this issue 4 years ago • 1 comments

Hey, first of all thanks for the package! I am new to CSP, so this is helping me a lot. But after including the meta-tag in my head, I still get high severity warnings in Google Lighthouse for not having it set up correctly...

Missing object-src allows the injection of plugins that execute unsafe scripts. Consider setting object-src to 'none' if you can. Directive: object-src Severity: High

Missing base-uri allows injected tags to set the base URL for all relative URLs (e.g. scripts) to an attacker controlled domain. Consider setting base-uri to 'none' or 'self'. Directive: base-uri Severity: High

Am I supposed to add them manually? Or is this behaviour intended?

Thanks in advance!

Bexy-Lyn avatar Nov 01 '21 14:11 Bexy-Lyn

Hi @Bexy-Lyn,

It sounds like a bad integration somewhere. Did you followed the integration (installation) instructions for Basic Usage here?: https://github.com/guydumais/next-strict-csp#basic-usage

Also, if you're using inline scripts you should do it using the Advanced Method.

Also, a code snippet of your current integration would be very helpful in identifying your issue.

guydumais avatar Apr 24 '22 12:04 guydumais