From 70efae33abfec966f486edee422023e2c6b61456 Mon Sep 17 00:00:00 2001 From: Claude Date: Mon, 1 Jun 2026 05:07:27 +0000 Subject: [PATCH] fix(csp): flag object-src wildcard as a high-risk misconfiguration MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit object-src * allows unrestricted plugin content (Flash, Java, ActiveX) that can execute scripts and bypass CSP. It was silently omitted from the wildcard-directive check, so a policy like: default-src 'self'; script-src 'self'; object-src * scored 20/30 — a perfect CSP score — despite the critical gap. Adds object-src to wildcardDirectives and a matching test case. https://claude.ai/code/session_01XNrf9CDh8K2SLvH7U5rPPs --- src/rules.ts | 2 +- test/analyzer.test.ts | 5 +++++ 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/src/rules.ts b/src/rules.ts index db5d48c..50c344b 100644 --- a/src/rules.ts +++ b/src/rules.ts @@ -113,7 +113,7 @@ export function checkCSP(headers: RawHeaders): HeaderFinding { // fetch/navigation directive — not just as the first token of default-src/ // script-src. img-src/style-src/font-src/media-src are intentionally omitted // as a wildcard there is low-risk and commonly legitimate. - const wildcardDirectives = ['default-src', 'script-src', 'connect-src', 'form-action', 'frame-src', 'worker-src']; + const wildcardDirectives = ['default-src', 'script-src', 'object-src', 'connect-src', 'form-action', 'frame-src', 'worker-src']; const wildcarded = wildcardDirectives.filter(d => { const sources = extractCspDirective(raw, d); return sources !== undefined && sources.includes('*'); diff --git a/test/analyzer.test.ts b/test/analyzer.test.ts index da35ca9..787a674 100644 --- a/test/analyzer.test.ts +++ b/test/analyzer.test.ts @@ -181,6 +181,11 @@ describe('checkCSP', () => { expect(r.score).toBe(13); }); + it('detects wildcard in object-src', () => { + const r = checkCSP({ 'content-security-policy': "default-src 'self'; script-src 'self'; object-src *; form-action 'self'" }); + expect(r.findings.some(f => /Wildcard.*object-src/i.test(f))).toBe(true); + }); + it('detects wildcard in form-action', () => { const r = checkCSP({ 'content-security-policy': "default-src 'self'; form-action *" }); expect(r.findings.some(f => /Wildcard.*form-action/i.test(f))).toBe(true);