From 8d9e1a0ad5a2dc0b191940eba9e5694e46e9cb1f Mon Sep 17 00:00:00 2001
From: andres-portainer <91705312+andres-portainer@users.noreply.github.com>
Date: Tue, 2 Sep 2025 11:39:46 -0300
Subject: [PATCH] fix(csp): add object-src to the CSP header BE-12217 (#1126)

---
 api/http/security/bouncer.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/api/http/security/bouncer.go b/api/http/security/bouncer.go
index 55b7faecc..e6837bee0 100644
--- a/api/http/security/bouncer.go
+++ b/api/http/security/bouncer.go
@@ -534,7 +534,7 @@ func MWSecureHeaders(next http.Handler, hsts, csp bool) http.Handler {
 		}
 
 		if csp {
-			w.Header().Set("Content-Security-Policy", "script-src 'self' cdn.matomo.cloud js.hsforms.net; frame-ancestors 'none';")
+			w.Header().Set("Content-Security-Policy", "script-src 'self' cdn.matomo.cloud js.hsforms.net; object-src 'none'; frame-ancestors 'none';")
 		}
 
 		w.Header().Set("X-Content-Type-Options", "nosniff")