diff --git a/configUtil.js b/configUtil.js
index 9f4eb46e3..274c3d786 100644
--- a/configUtil.js
+++ b/configUtil.js
@@ -30,6 +30,7 @@ module.exports = {
         'base-uri ': "'self'",
         // to allow worker
         'child-src': "'self' blob:",
+        'object-src': "'none'",
         'frame-ancestors': " 'none'",
         'form-action': "'none'",
         'report-uri': ' https://csp-reporter.ente.io/local',
diff --git a/public/_headers b/public/_headers
index 2104a2445..388d4038c 100644
--- a/public/_headers
+++ b/public/_headers
@@ -8,5 +8,5 @@
     X-Frame-Options: deny
     X-XSS-Protection: 1; mode=block
     Referrer-Policy: same-origin
-    Content-Security-Policy-Report-Only: default-src 'self'; img-src 'self' blob: data:; media-src 'self' blob:; style-src 'self' 'unsafe-inline'; font-src 'self'; script-src 'self' 'unsafe-eval' blob:; manifest-src 'self'; child-src 'self' blob:; connect-src 'self' https://*.ente.io data: blob: https://ente-prod-eu.s3.eu-central-003.backblazeb2.com ; base-uri 'self'; frame-ancestors 'none'; form-action 'none'; report-uri https://csp-reporter.ente.io; report-to https://csp-reporter.ente.io;
+    Content-Security-Policy-Report-Only: default-src 'self'; img-src 'self' blob: data:; media-src 'self' blob:; style-src 'self' 'unsafe-inline'; font-src 'self'; script-src 'self' 'unsafe-eval' blob:; manifest-src 'self'; child-src 'self' blob:; object-src 'none'; connect-src 'self' https://*.ente.io data: blob: https://ente-prod-eu.s3.eu-central-003.backblazeb2.com ; base-uri 'self'; frame-ancestors 'none'; form-action 'none'; report-uri https://csp-reporter.ente.io; report-to https://csp-reporter.ente.io;