Closed Bug 1766881 Opened 2 years ago Closed 1 year ago

Remove object-src requirement from the extension CSP, at least in MV3


(WebExtensions :: General, task, P3)



(firefox106 fixed)

106 Branch
Tracking Status
firefox106 --- fixed


(Reporter: robwu, Assigned: robwu)


(Blocks 1 open bug)


(Keywords: dev-doc-complete, Whiteboard: [addons-jira][wecg])


(1 file)

object-src is not useful in the extension CSP. Plugin support has been removed from Firefox, and there is consensus in the WECG to remove this.

For context, benefits and rationale behind the removal of object-src from the extension's CSP, see

Severity: -- → N/A
Priority: -- → P3
Assignee: nobody → rob
Blocks: 1581608

object-src used to be required because it controls plugins, and we did
not want to load unsafe sources as plugins. With NPAPI plugin support
having been dropped a long time ago, this reason no longer exist.
The requirement for "secure" object-src CSP directive meant that
extensions had to specify a boilerplate object-src if they wanted to
modify script-src.

This patch removes the object-src requirement from extension CSP,
which simplifies the usage and learning curve of CSP usage in

With this change, extensions can now load "unsafe" (remote) content
via <embed> and <object> tags. This relaxation does not reduce
the security because this was already possible with <iframe> tags.

Pushed by
Drop object-src requirement from extension CSP r=mixedpuppy
Closed: 1 year ago
Resolution: --- → FIXED
Target Milestone: --- → 106 Branch

I have updated the documentation at

This should still be documented in the BCD entry and changelog (Firefox 106 for developers).

Keywords: dev-doc-needed

Documentation updates completed in PR #21190 and browser compatibility data changes in PR #17901

You need to log in before you can comment on or make changes to this bug.