Versions Compared

Version Old Version 21 New Version Current
Changes made by

Julio Mendoza

John Sinclair

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: update Security Content Policy to remove prefetch-src and include maps.googleapis.com

Table of Contents

...

A new tool to randomize the secrets from the command line. This tool will randomize omkd_secrets tokens in OMK and also, NMIS auth_web_key when it matches some of the OMK tokens. The omkd_secrets token is used for Single-Sign-On, see SSO for Opmantek Firstwave Applications

This tool is also called by the installer and fixed CVE-2021-38551.

...

/usr/local/omk/bin/opcommon-cli.exe act=secrets_randomise [force=true] [length=N]

Where:

    • force=true will change the token even if this is not the default (Like =~ change_me)
    • length=N will force the token length to N (32 by default)

...

The default values can be overwritten by setting the configuration item security_content_policy under the authentication section in the configuration file, opCommon.json.

...

Code Block
"connect-src 'self' opmantek.com community.opmantek.com services.opmantek.com ws: wss: maps.googleapis.com ws: wss: maps.google.com maps.gstatic.com; font-src 'self' fonts.gstatic.com; form-action 'self'; frame-ancestors 'none'; frame-src 'none'; manifest-src 'none'; media-src 'none'; object-src 'none'; prefetch-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline' maps.googleapis.com maps.google.com; style-src 'self' fonts.googleapis.com 'unsafe-inline'; worker-src 'self';"

...

Code Block
"connect-src 'self' opmantek.com community.opmantek.com services.opmantek.com maps.googleapis.com ws: wss: maps.google.com maps.gstatic.com; font-src 'self' fonts.gstatic.com; form-action 'self'; frame-ancestors 'none'; frame-src 'none'; img-src 'self' data: maps.google.com maps.gstatic.com; manifest-src 'none'; media-src 'none'; object-src 'none'; prefetch-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline' maps.googleapis.com maps.google.com; style-src 'self' fonts.googleapis.com 'unsafe-inline'; worker-src 'self';"

...

For example, if you want to include one of the Opmantek FirstWave applications in an iFrame, you would need to include directives for frame-ancestors and frame-src, e.g.

...

Code Block
"security_content_policy": "connect-src 'self' opmantek.com community.opmantek.com services.opmantek.com ws: wss: maps.googleapis.com ws: wss: maps.google.com maps.gstatic.com;
     font-src 'self' fonts.gstatic.com; 
    form-action 'self';
    frame-ancestors https://*.yourdomain.com;
    frame-src https://*.yourdomain.com;
    manifest-src 'none';
    media-src 'none';
    object-src 'none';
    prefetch-src 'self';
    script-src 'self' 'unsafe-eval' 'unsafe-inline' maps.googleapis.com maps.google.com;
    style-src 'self' fonts.googleapis.com 'unsafe-inline';
    worker-src 'self';"

...