fix(csp): flag wildcard object-src as a security risk

[dmchaledev]

Problem

object-src was missing from the wildcard-directive check in checkCSP. This meant a policy like:

Content-Security-Policy: default-src 'self'; script-src 'self'; object-src *

received no penalty despite the wildcard, earning the same score as a policy with no wildcard at all.

This matters because object-src controls plugin content (Flash, Java applets, <object>/<embed> elements). A wildcard there lets attackers load malicious plugins from any origin — completely bypassing a strict script-src — since plugin execution is not subject to CSP script controls. Google's CSP guide and OWASP both recommend object-src 'none' explicitly.

Fix

Add object-src to the wildcardDirectives array in checkCSP (src/rules.ts line 116). The existing wildcard-detection logic already handles everything else; this is a one-line addition to the directive list.

- const wildcardDirectives = ['default-src', 'script-src', 'connect-src', 'form-action', 'frame-src', 'worker-src'];
+ const wildcardDirectives = ['default-src', 'script-src', 'connect-src', 'form-action', 'frame-src', 'worker-src', 'object-src'];

Tests

Two new test cases in test/analyzer.test.ts:

• detects wildcard in object-src — confirms object-src * is flagged and reduces score
• does not flag a restrictive object-src — confirms object-src 'none' earns no penalty

All 84 tests pass.

Test plan

• npm test — all 84 tests pass, including the 2 new ones
• Verify object-src * triggers the "Wildcard (*) source in object-src" finding
• Verify object-src 'none' is not flagged

https://claude.ai/code/session_012BC1VP4X5zcbRhbqd8SyRB

---

Generated by Claude Code