Re: SameSite issues in Safari Browser (reference #RM5975)

public inbox for [email protected]  
help / color / mirror / Atom feed

From: Dave Page <[email protected]>
To: Rahul Shirsat <[email protected]>
Cc: pgadmin-hackers <[email protected]>
Subject: Re: SameSite issues in Safari Browser (reference #RM5975)
Date: Thu, 3 Dec 2020 09:32:35 +0000
Message-ID: <CA+OCxow2ACbPpjLhP7H=HtcaK6ivtxRhKtXznhKJn+Y4RKzDxQ@mail.gmail.com> (raw)
In-Reply-To: <CAKtn9dOx_8qqHmz4RCJ+o0AJUxOY6KSgWo1beWr3iNHBZ0L3Mg@mail.gmail.com>
References: <CAKtn9dNqZqKbOuwaE5Y94+_WG=NqTh+=oj1vYvdcbq7501b_NQ@mail.gmail.com>
	<CA+OCxozMTrE-AFoei16-rzb5PNEqN7ZmJQ7wPGe=Ctwp4Tk02Q@mail.gmail.com>
	<CAKtn9dPCUa_kbA=ViTS+hHZ2PxxQ54SVE5G1YdkTPxoZxxwbgw@mail.gmail.com>
	<CA+OCxoxZCULg79P9QhBE8K65Cgnnz5Am2kyUK=7YSuftLB0thg@mail.gmail.com>
	<CAKtn9dP32Aiac5RD997yGkO2Mf95hfL3LA7=JSizb_xEGb3THw@mail.gmail.com>
	<CAKtn9dOh7wmNb-hfYanbcVVbL4tAvq4qJjzDXUq4XWgdGTswcw@mail.gmail.com>
	<CA+OCxoyROpmcL7fxGsidjizZN7d10ANpTqTZvxLiLOpOuGDHnA@mail.gmail.com>
	<CAKtn9dOx_8qqHmz4RCJ+o0AJUxOY6KSgWo1beWr3iNHBZ0L3Mg@mail.gmail.com>

Hi

Please check: https://www.pgadmin.org/faq/#13

On Thu, Dec 3, 2020 at 8:54 AM Rahul Shirsat <[email protected]>
wrote:

> Dave,
>
> Please find below corrected faq details.
>
> Category : Troubleshooting
>
> Question :
> When I set new tab settings for query tool or schema-diff, I get
> "Connection to server lost" or "CSRF tokens do not match" on Safari
> versions >= 12
>
> Answer:
> <p>This has been seen mostly on Safari browser versions >= 12. It's
> reported that from v12 of CFNetwork/Safari/Webkit erroneously handle
> "Samesite=none" as the equivalent of "Samesite=strict". It means, Safari
> recognizes the SameSite option starting with version 12, but their
> implementation has a bug: It interprets invalid values as if
> SameSite=Strict had been specified, and for it only Strict and Lax are
> valid values, as the older specification did not yet specify None</p>
>
> <p>To solve this issue, we need to override the SameSite security
> settings, for this, create a file called config_system.py (for location to
> create the file, refer <a href="
> https://www.pgadmin.org/docs/pgadmin4/development/config_py.html">The
> config.py file</a>). This file can be used to override any of the settings
> in config.py (which shouldn't be edited). The config_system.py should have
> the below code:</p>
>
> <pre>
>     SESSION_COOKIE_SAMESITE = None
>     SESSION_COOKIE_SECURE = True
> </pre>
> <p><i>Note that these changes are not recommended, and we highly recommend
> users to use a different browser until the issue gets resolved from
> Apple.</i>
>
> Removed the OS specific condition to make it generic for all distributions.
> Added a warning note at the last of the faq.
>
> On Wed, Dec 2, 2020 at 4:33 PM Dave Page <[email protected]> wrote:
>
>> Hi
>>
>> On Tue, Dec 1, 2020 at 5:51 PM Rahul Shirsat <
>> [email protected]> wrote:
>>
>>> Hi Dave,
>>>
>>> Could you please add below FAQ point for SameSite Safari issue:
>>>
>>> Question :
>>> When I set new tab settings for query tool or schema-diff, I get
>>> "Connection to server lost" or "CSRF tokens do not match" on Safari
>>> versions >= 12
>>>
>>> Answer:
>>> <p>This has been seen mostly on Safari browser versions >= 12. It's
>>> reported that from v12 of CFNetwork/Safari/Webkit erroneously handle
>>> "Samesite=none" as the equivalent of "Samesite=strict". It means, Safari
>>> recognizes the SameSite option starting with version 12, but their
>>> implementation has a bug: It interprets invalid values as if
>>> SameSite=Strict had been specified, and for it only Strict and Lax are
>>> valid values, as the older specification did not yet specify None</p>
>>>
>>> <p>To solve this issue, we need to override the SameSite security
>>> settings, for this, create a file called config_system.py in the web/
>>> directory of the installation, alongside the existing config.py. This file
>>> can be used to override any of the settings in config.py (which shouldn't
>>> be edited). The config_system.py should have the below code:</p>
>>>
>>
>> We could certainly add something like that, though, config_system.py
>> doesn't go alongside config.py so that part of the text needs fixing.
>>
>>
>>>
>>> <pre>
>>> import sys
>>>
>>> # Targeting only macOS
>>> if sys.platform.startswith('darwin'):
>>>     SESSION_COOKIE_SAMESITE = None
>>>     SESSION_COOKIE_SECURE = True
>>> </pre>
>>>
>>> Do suggest or add any points if I am missing them.
>>>
>>
>> And that is not going to work in Server mode, only Desktop.
>>
>>
>>
>>>
>>> Also, let me know once this is done, So that I will close the ticket.
>>>
>>> --
>>> *Rahul Shirsat*
>>> Senior Software Engineer | EnterpriseDB Corporation.
>>>
>>> On Mon, Nov 30, 2020 at 7:30 PM Rahul Shirsat <
>>> [email protected]> wrote:
>>>
>>>> This was the part of our internal quality testing, where it got
>>>> encountered. Currently, none of the users have complained about this on
>>>> their specific browser versions.
>>>>
>>>> On Mon, Nov 30, 2020 at 5:12 PM Dave Page <[email protected]> wrote:
>>>>
>>>>> Hi
>>>>>
>>>>> On Mon, Nov 30, 2020 at 7:12 AM Rahul Shirsat <
>>>>> [email protected]> wrote:
>>>>>
>>>>>> Dave,
>>>>>>
>>>>>> There are issues discussed on Apple forums, check this out:
>>>>>>
>>>>>> https://developer.apple.com/forums/thread/129064 - The latest
>>>>>> comment by the user here is one month ago, meaning the issue is still not
>>>>>> fixed yet.
>>>>>> https://developer.apple.com/forums/thread/658688 - Users facing this
>>>>>> issue in v13.x
>>>>>>
>>>>>> Even webkit has confirmed about this issue :
>>>>>> https://bugs.webkit.org/show_bug.cgi?id=198181 - Users facing this
>>>>>> issue in v12.x
>>>>>>
>>>>>
>>>>> In that case, I think the answer (for now at least) is an FAQ,
>>>>> referencing those issues and explaining how to resolve the issue using
>>>>> config_system.py or by using a different browser.
>>>>>
>>>>> Have we actually seen this issue in wild?
>>>>>
>>>>>
>>>>>
>>>>>>
>>>>>> On Thu, Nov 26, 2020 at 6:57 PM Dave Page <[email protected]> wrote:
>>>>>>
>>>>>>> Hi
>>>>>>>
>>>>>>> On Wed, Nov 25, 2020 at 10:37 AM Rahul Shirsat <
>>>>>>> [email protected]> wrote:
>>>>>>>
>>>>>>>> Hi Dave,
>>>>>>>>
>>>>>>>> Due to SameSite security issues in Safari Browser, some of the
>>>>>>>> pgadmin4 functionality isn't working (mostly the new tab functionality).
>>>>>>>>
>>>>>>>> The affected Safari Browser versions (marked in red) currently
>>>>>>>> tested upon are:
>>>>>>>>
>>>>>>>>    1. v11.1.2
>>>>>>>>    2. v12.1
>>>>>>>>    3. v12.1.1
>>>>>>>>    4. 13.1
>>>>>>>>    5. 14.0.1
>>>>>>>>
>>>>>>>> Since v12, Safari have done some security fixes, due to which this
>>>>>>>> issue has occurred. Strangely, the issue is not reproducible on v13, but
>>>>>>>> reproducible on its successor i.e. v14
>>>>>>>>
>>>>>>>> Possible solutions could be:
>>>>>>>>
>>>>>>>>    1. Reporting this to Safari & raising an RM for tracking
>>>>>>>>    purposes.
>>>>>>>>    2. Suggesting Safari users to make below changes in config.py
>>>>>>>>    or config_distro for the work around:
>>>>>>>>
>>>>>>>> *SESSION_COOKIE_SAMESITE = None*
>>>>>>>>
>>>>>>>> *SESSION_COOKIE_SECURE = True*
>>>>>>>> (As we aren't going through any cross-site cookie transfer, this
>>>>>>>> can be a handy option - but still risky..)
>>>>>>>>
>>>>>>>> I would suggest going with the 1st option or combination of both,
>>>>>>>> but with caution.
>>>>>>>>
>>>>>>>
>>>>>>> Others must have come across this issue already. Is it a known bug,
>>>>>>> documented somewhere (ideally on apple.com)?
>>>>>>>
>>>>>>> --
>>>>>>> Dave Page
>>>>>>> Blog: http://pgsnake.blogspot.com
>>>>>>> Twitter: @pgsnake
>>>>>>>
>>>>>>> EDB: http://www.enterprisedb.com
>>>>>>>
>>>>>>>
>>>>>>
>>>>>> --
>>>>>> *Rahul Shirsat*
>>>>>> Software Engineer | EnterpriseDB Corporation.
>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Dave Page
>>>>> Blog: http://pgsnake.blogspot.com
>>>>> Twitter: @pgsnake
>>>>>
>>>>> EDB: http://www.enterprisedb.com
>>>>>
>>>>>
>>>>
>>>> --
>>>> *Rahul Shirsat*
>>>> Software Engineer | EnterpriseDB Corporation.
>>>>
>>>
>>>
>>> --
>>> *Rahul Shirsat*
>>> Software Engineer | EnterpriseDB Corporation.
>>>
>>
>>
>> --
>> Dave Page
>> Blog: http://pgsnake.blogspot.com
>> Twitter: @pgsnake
>>
>> EDB: http://www.enterprisedb.com
>>
>>
>
> --
> *Rahul Shirsat*
> Software Engineer | EnterpriseDB Corporation.
>


-- 
Dave Page
Blog: http://pgsnake.blogspot.com
Twitter: @pgsnake

EDB: http://www.enterprisedb.com

view thread (13+ messages)  latest in thread

reply

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Reply to all the recipients using the --to and --cc options:
  reply via email

  To: [email protected]
  Cc: [email protected], [email protected]
  Subject: Re: SameSite issues in Safari Browser (reference #RM5975)
  In-Reply-To: <CA+OCxow2ACbPpjLhP7H=HtcaK6ivtxRhKtXznhKJn+Y4RKzDxQ@mail.gmail.com>

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox