Currently, in MV2 and MV3 the CSP requires the script-src and object-src directives to be specified with secure sources only.
script-src is restricted to avoid unsafe code execution,
object-src was restricted to avoid unsafe plugin code execution (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/object-src).

These days, with plugin support having been removed from web browsers*, object-src is not useful any more.
But at least Firefox and Chrome still require object-src (or default-src as a fallback) with "secure" sources to be specified if extensions want to specify a custom CSP, despite object-src not being useful.

I propose that we remove object-src from the default CSP (which I suggested at #98 (comment)), at least in MV3. This makes the CSP more readable and makes it easier to override the custom CSP.

* Firefox is not supporting NPAPI plugins any more, including the Flash plugin.
Chrome is not supporting NPAPI plugins either, and (P)NaCl (NativeClient) have been deprecated and support is ending (https://blog.chromium.org/2020/01/moving-forward-from-chrome-apps.html). Even if there is somehow a desire to support (P)NaCl in the future, the implementation does not need to rely on CSP to block access by extensions.