Index: openacs-4/packages/acs-tcl/tcl/security-procs.tcl
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/acs-tcl/tcl/security-procs.tcl,v
diff -u -N -r1.91 -r1.92
--- openacs-4/packages/acs-tcl/tcl/security-procs.tcl	25 Apr 2018 19:23:26 -0000	1.91
+++ openacs-4/packages/acs-tcl/tcl/security-procs.tcl	2 May 2018 07:19:26 -0000	1.92
@@ -2303,7 +2303,8 @@
         security::csp::require style-src 'self'
         security::csp::require img-src 'self'
         security::csp::require font-src 'self'
-
+        security::csp::require base-uri 'self'        
+        
         #
         # Some browser (safari, chrome) need "font-src data:", maybe
         # for plugins or diffent font settings. Seems safe enough.
@@ -2346,6 +2347,11 @@
         #
         security::csp::require report-uri /SYSTEM/csp-collector.tcl
 
+        #
+        # We do not need object-src
+        #
+        security::csp::require object-src 'none'        
+
         set policy ""
         foreach directive {
             child-src
@@ -2363,6 +2369,7 @@
             sandbox
             script-src
             style-src
+            base-uri
         } {
             set var ::__csp__directive($directive)
             if {[info exists $var]} {