FEATURE: set CSP base-uri and object-src to none (#6863)

FEATURE: set CSP base-uri and object-src to none (#6863)

diff --git a/lib/content_security_policy/default.rb b/lib/content_security_policy/default.rb
index d92285a..1e056f7 100644
--- a/lib/content_security_policy/default.rb
+++ b/lib/content_security_policy/default.rb
@@ -7,6 +7,8 @@ class ContentSecurityPolicy
 
     def initialize
       @directives = {}.tap do |directives|
+        directives[:base_uri] = [:none]
+        directives[:object_src] = [:none]
         directives[:script_src] = script_src
         directives[:worker_src] = worker_src
         directives[:report_uri] = report_uri if SiteSetting.content_security_policy_collect_reports
diff --git a/spec/lib/content_security_policy_spec.rb b/spec/lib/content_security_policy_spec.rb
index 79f190e..b220579 100644
--- a/spec/lib/content_security_policy_spec.rb
+++ b/spec/lib/content_security_policy_spec.rb
@@ -16,6 +16,20 @@ describe ContentSecurityPolicy do
     end
   end
 
+  describe 'base-uri' do
+    it 'is set to none' do
+      base_uri = parse(policy)['base-uri']
+      expect(base_uri).to eq(["'none'"])
+    end
+  end
+
+  describe 'object-src' do
+    it 'is set to none' do
+      object_srcs = parse(policy)['object-src']
+      expect(object_srcs).to eq(["'none'"])
+    end
+  end
+
   describe 'worker-src' do
     it 'always has self and blob' do
       worker_srcs = parse(policy)['worker-src']

GitHub sha: dec8e587