From bdfaef48794c7635e03a3c606c7a7abd7083ab2f Mon Sep 17 00:00:00 2001
From: Chris Palmer <cpalmer@tailscale.com>
Date: Thu, 18 Apr 2024 10:39:11 -0700
Subject: [PATCH] safeweb: allow object-src: self in CSP (#11782)

This change is safe (self is still safe, by
definition), and makes the code match the comment.

Updates #cleanup

Signed-off-by: Chris Palmer <cpalmer@tailscale.com>
---
 safeweb/http.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/safeweb/http.go b/safeweb/http.go
index 77853f6ee..96ef8f9a7 100644
--- a/safeweb/http.go
+++ b/safeweb/http.go
@@ -89,7 +89,7 @@ var defaultCSP = strings.Join([]string{
 	`form-action 'self'`,      // disallow form submissions to other origins
 	`base-uri 'self'`,         // disallow base URIs from other origins
 	`block-all-mixed-content`, // disallow mixed content when serving over HTTPS
-	`object-src 'none'`,       // disallow embedding of resources from other origins
+	`object-src 'self'`,       // disallow embedding of resources from other origins
 }, "; ")
 
 // Config contains the configuration for a safeweb server.