[FIX] deploy: set Content-Security-Policy on static

The Content-Security-Policy[^1] http header was only set on the response generated by controllers but it was missing from the `/<module>/static/` route. It is not strictly necessary to set that header on the responses comming from that routes as it is not possible to add new static files or edit existing ones via the interface (not even as admin). Only the developers and system administrator can access those files. It is also worth mentionning that using the Odoo internal web server to deliver static files is suboptimal. Outside of a dev environment, those files will typically be delivered via a web server[^2] and sysadmins should configure their web server to set the CSP header on static images. [^1]: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP [^2]: https://www.odoo.com/documentation/master/administration/install/deploy.html#serving-static-files-and-attachments closes odoo/documentation#5485 Related: odoo/odoo#131700 Signed-off-by: Julien Castiaux (juc) <juc@odoo.com>
2023-08-14 12:04:58 +02:00 · 2023-08-14 12:04:58 +02:00 · f3f44fe5f2
commit f3f44fe5f2
parent 09c42c5896
1 changed files with 54 additions and 34 deletions
--- a/content/administration/install/deploy.rst
+++ b/content/administration/install/deploy.rst
@ -439,51 +439,71 @@ Odoo static files are located in each module's :file:`static/` folder, so static
 by intercepting all requests to :samp:`/{MODULE}/static/{FILE}`, and looking up the right module
 (and file) in the various addons paths.

-.. example::
-   Say Odoo has been installed via the **debian packages** for Community and Enterprise and the
-   :option:`--addons-path <odoo-bin --addons-path>` is ``'/usr/lib/python3/dist-packages/odoo/addons'``.
+It is recommended to set the ``Content-Security-Policy: default-src 'none'`` header on all images
+delivered by the web server. It is not strictly necessary as users cannot modify/inject content
+inside of modules' :file:`static/` folder and existing images are final (they do not fetch new
+resources by themselves). However, it is good practice.

-   Using the above NGINX (https) configuration, the following location block should be added to
-   serve static files via NGINX.
+Using the above NGINX (https) configuration, the following ``map`` and ``location`` blocks should be
+added to serve static files via NGINX.

 .. code-block:: nginx

+    map $sent_http_content_type $content_type_csp {
+        default "";
+        ~image/ "default-src 'none'";
+    }
+
+    server {
+        # the rest of the configuration
+
        location @odoo {
            # copy-paste the content of the / location block
        }

        # Serve static files right away
        location ~ ^/[^/]+/static/.+$ {
+            # root and try_files both depend on your addons paths
+            root ...;
+            try_files ... @odoo;
+            expires 24h;
+            add_header Content-Security-Policy $content_type_csp;
+        }
+    }
+
+The actual ``root`` and ``try_files`` directives are dependant on your installation, specifically on
+your :option:`--addons-path <odoo-bin --addons-path>`.
+
+.. example::
+
+   .. tabs::
+
+      .. group-tab:: Debian package
+
+         Say Odoo has been installed via the **debian packages** for Community and Enterprise, and
+         that the :option:`--addons-path <odoo-bin --addons-path>` is
+         ``'/usr/lib/python3/dist-packages/odoo/addons'``.
+
+         The ``root`` and ``try_files`` should be:
+
+         .. code-block:: nginx
+
            root /usr/lib/python3/dist-packages/odoo/addons;
            try_files $uri @odoo;
-           expires 24h;
-       }

-.. example::
-   Say Odoo has been installed via the **source**. The two git repositories for Community and
-   Enterprise have been cloned in :file:`/opt/odoo/community` and :file:`/opt/odoo/enterprise`
-   respectively and the :option:`--addons-path <odoo-bin --addons-path>` is
+      .. group-tab:: Git sources
+
+         Say Odoo has been installed via the **sources**, that both the Community and Enterprise git
+         repositories were cloned in :file:`/opt/odoo/community` and :file:`/opt/odoo/enterprise`
+         respectively, and that the :option:`--addons-path <odoo-bin --addons-path>` is
         ``'/opt/odoo/community/odoo/addons,/opt/odoo/community/addons,/opt/odoo/enterprise'``.

-   Using the above NGINX (https) configuration, the following location block should be added to
-   serve static files via NGINX.
+         The ``root`` and ``try_files`` should be:

         .. code-block:: nginx

-       location @odoo {
-           # copy-paste the content of the / location block
-       }
-
-       # Serve static files right away
-       location ~ ^/[^/]+/static/.+$ {
            root /opt/odoo;
            try_files /community/odoo/addons$uri /community/addons$uri /enterprise$uri @odoo;
-           expires 24h;
-       }
-
-.. warning::
-   The actual NGINX configuration you need is highly dependent on your own installation. The two
-   above snippets only highlight two possible configurations and may not be used as-is.

 Serving attachments
 -------------------