From 1f1ab7425021b3a18851dfb1d507765b8ac0341c Mon Sep 17 00:00:00 2001
From: Chris Palmer <cpalmer@tailscale.com>
Date: Wed, 3 Jan 2024 09:00:57 -0800
Subject: [PATCH] tsweb: use object-src instead of plugin-types (#10719)

plugin-types is deprecated, and setting object-src: 'none' is best
practice. This should result in no functional change.

Fixes #10718

Signed-off-by: Chris Palmer <cpalmer@tailscale.com>
---
 tsweb/debug.go | 2 +-
 tsweb/tsweb.go | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/tsweb/debug.go b/tsweb/debug.go
index 66038192d..6db3f25cf 100644
--- a/tsweb/debug.go
+++ b/tsweb/debug.go
@@ -167,7 +167,7 @@ func debugBrowserHeaderHandler(h http.Handler) http.Handler {
 		// The only difference from AddBrowserHeaders is that this policy
 		// allows inline CSS styles. They make debug pages much easier to
 		// prototype, while the risk of user-injected CSS is relatively low.
-		w.Header().Set("Content-Security-Policy", "default-src 'self'; frame-ancestors 'none'; form-action 'self'; base-uri 'self'; block-all-mixed-content; plugin-types 'none'; style-src 'self' 'unsafe-inline'")
+		w.Header().Set("Content-Security-Policy", "default-src 'self'; frame-ancestors 'none'; form-action 'self'; base-uri 'self'; block-all-mixed-content; object-src 'none'; style-src 'self' 'unsafe-inline'")
 		h.ServeHTTP(w, r)
 	})
 }
diff --git a/tsweb/tsweb.go b/tsweb/tsweb.go
index 0c504e787..652f09692 100644
--- a/tsweb/tsweb.go
+++ b/tsweb/tsweb.go
@@ -458,7 +458,7 @@ func VarzHandler(w http.ResponseWriter, r *http.Request) {
 // https://infosec.mozilla.org/guidelines/web_security
 func AddBrowserHeaders(w http.ResponseWriter) {
 	w.Header().Set("Strict-Transport-Security", "max-age=63072000; includeSubDomains")
-	w.Header().Set("Content-Security-Policy", "default-src 'self'; frame-ancestors 'none'; form-action 'self'; base-uri 'self'; block-all-mixed-content; plugin-types 'none'")
+	w.Header().Set("Content-Security-Policy", "default-src 'self'; frame-ancestors 'none'; form-action 'self'; base-uri 'self'; block-all-mixed-content; object-src 'none'")
 	w.Header().Set("X-Frame-Options", "DENY")
 	w.Header().Set("X-Content-Type-Options", "nosniff")
 }