diff --git a/tsweb/debug.go b/tsweb/debug.go
index 66038192d..6db3f25cf 100644
--- a/tsweb/debug.go
+++ b/tsweb/debug.go
@@ -167,7 +167,7 @@ func debugBrowserHeaderHandler(h http.Handler) http.Handler {
 		// The only difference from AddBrowserHeaders is that this policy
 		// allows inline CSS styles. They make debug pages much easier to
 		// prototype, while the risk of user-injected CSS is relatively low.
-		w.Header().Set("Content-Security-Policy", "default-src 'self'; frame-ancestors 'none'; form-action 'self'; base-uri 'self'; block-all-mixed-content; plugin-types 'none'; style-src 'self' 'unsafe-inline'")
+		w.Header().Set("Content-Security-Policy", "default-src 'self'; frame-ancestors 'none'; form-action 'self'; base-uri 'self'; block-all-mixed-content; object-src 'none'; style-src 'self' 'unsafe-inline'")
 		h.ServeHTTP(w, r)
 	})
 }
diff --git a/tsweb/tsweb.go b/tsweb/tsweb.go
index 0c504e787..652f09692 100644
--- a/tsweb/tsweb.go
+++ b/tsweb/tsweb.go
@@ -458,7 +458,7 @@ func VarzHandler(w http.ResponseWriter, r *http.Request) {
 // https://infosec.mozilla.org/guidelines/web_security
 func AddBrowserHeaders(w http.ResponseWriter) {
 	w.Header().Set("Strict-Transport-Security", "max-age=63072000; includeSubDomains")
-	w.Header().Set("Content-Security-Policy", "default-src 'self'; frame-ancestors 'none'; form-action 'self'; base-uri 'self'; block-all-mixed-content; plugin-types 'none'")
+	w.Header().Set("Content-Security-Policy", "default-src 'self'; frame-ancestors 'none'; form-action 'self'; base-uri 'self'; block-all-mixed-content; object-src 'none'")
 	w.Header().Set("X-Frame-Options", "DENY")
 	w.Header().Set("X-Content-Type-Options", "nosniff")
 }