f3f44fe5f2
The Content-Security-Policy[^1] http header was only set on the response generated by controllers but it was missing from the `/<module>/static/` route. It is not strictly necessary to set that header on the responses comming from that routes as it is not possible to add new static files or edit existing ones via the interface (not even as admin). Only the developers and system administrator can access those files. It is also worth mentionning that using the Odoo internal web server to deliver static files is suboptimal. Outside of a dev environment, those files will typically be delivered via a web server[^2] and sysadmins should configure their web server to set the CSP header on static images. [^1]: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP [^2]: https://www.odoo.com/documentation/master/administration/install/deploy.html#serving-static-files-and-attachments closes odoo/documentation#5485 Related: odoo/odoo#131700 Signed-off-by: Julien Castiaux (juc) <juc@odoo.com> |
||
|---|---|---|
| .. | ||
| administration | ||
| applications | ||
| contributing | ||
| developer | ||
| legal | ||
| administration.rst | ||
| applications.rst | ||
| contributing.rst | ||
| developer.rst | ||
| index.rst | ||
| last_build.rst | ||
| legal.rst | ||