From 8f47ce42dc9a9542e2f7c8afb4c804ebb45e32be Mon Sep 17 00:00:00 2001
From: Julien Castiaux <juc@odoo.com>
Date: Mon, 14 Aug 2023 12:04:58 +0200
Subject: [PATCH] [FIX] deploy: set Content-Security-Policy on static

The Content-Security-Policy[^1] http header was only set on the response
generated by controllers but it was missing from the `/<module>/static/`
route.

It is not strictly necessary to set that header on the responses comming
from that routes as it is not possible to add new static files or edit
existing ones via the interface (not even as admin). Only the developers
and system administrator can access those files.

It is also worth mentionning that using the Odoo internal web server to
deliver static files is suboptimal. Outside of a dev environment, those
files will typically be delivered via a web server[^2] and sysadmins
should configure their web server to set the CSP header on static images.

[^1]: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
[^2]: https://www.odoo.com/documentation/master/administration/install/deploy.html#serving-static-files-and-attachments

closes odoo/documentation#6950

X-original-commit: f3f44fe5f201cf681859e3158a413672078707c7
Related: odoo/odoo#146584
Signed-off-by: Julien Castiaux (juc) <juc@odoo.com>
---
 content/administration/install/deploy.rst | 88 ++++++++++++++---------
 1 file changed, 54 insertions(+), 34 deletions(-)

diff --git a/content/administration/install/deploy.rst b/content/administration/install/deploy.rst
index 9cc26da7b..1e783cc53 100644
--- a/content/administration/install/deploy.rst
+++ b/content/administration/install/deploy.rst
@@ -439,51 +439,71 @@ Odoo static files are located in each module's :file:`static/` folder, so static
 by intercepting all requests to :samp:`/{MODULE}/static/{FILE}`, and looking up the right module
 (and file) in the various addons paths.
 
-.. example::
-   Say Odoo has been installed via the **debian packages** for Community and Enterprise and the
-   :option:`--addons-path <odoo-bin --addons-path>` is ``'/usr/lib/python3/dist-packages/odoo/addons'``.
+It is recommended to set the ``Content-Security-Policy: default-src 'none'`` header on all images
+delivered by the web server. It is not strictly necessary as users cannot modify/inject content
+inside of modules' :file:`static/` folder and existing images are final (they do not fetch new
+resources by themselves). However, it is good practice.
 
-   Using the above NGINX (https) configuration, the following location block should be added to
-   serve static files via NGINX.
+Using the above NGINX (https) configuration, the following ``map`` and ``location`` blocks should be
+added to serve static files via NGINX.
 
-   .. code-block:: nginx
+.. code-block:: nginx
 
-       location @odoo {
-           # copy-paste the content of the / location block
-       }
+    map $sent_http_content_type $content_type_csp {
+        default "";
+        ~image/ "default-src 'none'";
+    }
 
-       # Serve static files right away
-       location ~ ^/[^/]+/static/.+$ {
-           root /usr/lib/python3/dist-packages/odoo/addons;
-           try_files $uri @odoo;
-           expires 24h;
-       }
+    server {
+        # the rest of the configuration
+
+        location @odoo {
+            # copy-paste the content of the / location block
+        }
+
+        # Serve static files right away
+        location ~ ^/[^/]+/static/.+$ {
+            # root and try_files both depend on your addons paths
+            root ...;
+            try_files ... @odoo;
+            expires 24h;
+            add_header Content-Security-Policy $content_type_csp;
+        }
+    }
+
+The actual ``root`` and ``try_files`` directives are dependant on your installation, specifically on
+your :option:`--addons-path <odoo-bin --addons-path>`.
 
 .. example::
-   Say Odoo has been installed via the **source**. The two git repositories for Community and
-   Enterprise have been cloned in :file:`/opt/odoo/community` and :file:`/opt/odoo/enterprise`
-   respectively and the :option:`--addons-path <odoo-bin --addons-path>` is
-   ``'/opt/odoo/community/odoo/addons,/opt/odoo/community/addons,/opt/odoo/enterprise'``.
 
-   Using the above NGINX (https) configuration, the following location block should be added to
-   serve static files via NGINX.
+   .. tabs::
 
-   .. code-block:: nginx
+      .. group-tab:: Debian package
 
-       location @odoo {
-           # copy-paste the content of the / location block
-       }
+         Say Odoo has been installed via the **debian packages** for Community and Enterprise, and
+         that the :option:`--addons-path <odoo-bin --addons-path>` is
+         ``'/usr/lib/python3/dist-packages/odoo/addons'``.
 
-       # Serve static files right away
-       location ~ ^/[^/]+/static/.+$ {
-           root /opt/odoo;
-           try_files /community/odoo/addons$uri /community/addons$uri /enterprise$uri @odoo;
-           expires 24h;
-       }
+         The ``root`` and ``try_files`` should be:
 
-.. warning::
-   The actual NGINX configuration you need is highly dependent on your own installation. The two
-   above snippets only highlight two possible configurations and may not be used as-is.
+         .. code-block:: nginx
+
+            root /usr/lib/python3/dist-packages/odoo/addons;
+            try_files $uri @odoo;
+
+      .. group-tab:: Git sources
+
+         Say Odoo has been installed via the **sources**, that both the Community and Enterprise git
+         repositories were cloned in :file:`/opt/odoo/community` and :file:`/opt/odoo/enterprise`
+         respectively, and that the :option:`--addons-path <odoo-bin --addons-path>` is
+         ``'/opt/odoo/community/odoo/addons,/opt/odoo/community/addons,/opt/odoo/enterprise'``.
+
+         The ``root`` and ``try_files`` should be:
+
+         .. code-block:: nginx
+
+            root /opt/odoo;
+            try_files /community/odoo/addons$uri /community/addons$uri /enterprise$uri @odoo;
 
 Serving attachments
 -------------------