![]() The Content-Security-Policy[^1] http header was only set on the response
generated by controllers but it was missing from the `/<module>/static/`
route.
It is not strictly necessary to set that header on the responses comming
from that routes as it is not possible to add new static files or edit
existing ones via the interface (not even as admin). Only the developers
and system administrator can access those files.
It is also worth mentionning that using the Odoo internal web server to
deliver static files is suboptimal. Outside of a dev environment, those
files will typically be delivered via a web server[^2] and sysadmins
should configure their web server to set the CSP header on static images.
[^1]: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
[^2]: https://www.odoo.com/documentation/master/administration/install/deploy.html#serving-static-files-and-attachments
closes odoo/documentation#6952
X-original-commit:
|
||
---|---|---|
.. | ||
administration | ||
applications | ||
contributing | ||
developer | ||
legal | ||
administration.rst | ||
applications.rst | ||
contributing.rst | ||
developer.rst | ||
index.rst | ||
last_build.rst | ||
legal.rst |