The source list for Content Security Policy directive 'object-src' contains an invalid source: ''*''

I am developing a Nextcloud app using javascript to load a pdf file to the app-content which trigger by app-menu click function. The code is as below:
#########################################################
var html = ‘’;
$("#"+obj.screenName).html(html);
#########################################################
From Chrome, I get an error "The source list for Content Security Policy directive ‘object-src’ contains an invalid source: ‘’*’’. "

Wonder if someone can give me an idea of how to fix it?