Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1kkkyq-0005G5-By for pgadmin-hackers@arkaria.postgresql.org; Thu, 03 Dec 2020 09:32:53 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.92) (envelope-from ) id 1kkkyp-0007kj-AH for pgadmin-hackers@arkaria.postgresql.org; Thu, 03 Dec 2020 09:32:51 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1kkkyp-0007kb-2J for pgadmin-hackers@lists.postgresql.org; Thu, 03 Dec 2020 09:32:51 +0000 Received: from mail-ej1-x636.google.com ([2a00:1450:4864:20::636]) by magus.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.92) (envelope-from ) id 1kkkym-0004fG-BX for pgadmin-hackers@postgresql.org; Thu, 03 Dec 2020 09:32:50 +0000 Received: by mail-ej1-x636.google.com with SMTP id bo9so2371938ejb.13 for ; Thu, 03 Dec 2020 01:32:47 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pgadmin.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=dZBhDlXnC9amzZsnh7P3wf6Q1MzOi/BnethGHceDKvI=; b=Q/uMGGZIo2I0EKmOcTlQB/uNpEu4OL9AxsiFXueKggxFeKSDxCtVCgEf3pph4jRpnm K2JLVHY0QlPUuhPWpbVpbnSzRprXqYBjY9UXbyeQw2zT/8HOzceJyXc7GNskoG4K8Pv8 B10XPuIpfPm9xo0SRjh0ZLrAHGgS6KQ5/iJIZTiZGPD4e1V8db7f+wetj0yvzlrIOD3/ qz73UYYFucLztA6KAdyXD27WNa8EoVwc+5QusvLM5TYE8JGo70LFU2U6+Df+cOrAdJ0x ZL3RLHPjzJydorGAJ+Zl2UPzufPWMGbNDhL1h8llLo8ajTN34TJnsVPwlg5cJzbCOYvk EXeQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=dZBhDlXnC9amzZsnh7P3wf6Q1MzOi/BnethGHceDKvI=; b=TjW3mZJtXfgRsafNMbtXBr+hJlfi69BJktaHu8a09FBQfL0D5n7CEqeo2581Y6Unp5 SK7PijvCMT76kQkkVBRsULV5gv1h9+j3r1howjcgRsD9asTu1LX13clVMbsOn2PPG1gT KuG6m1lNNB/ZTAVEMGwACimi4rNisVWoR7zQ4uZYbUWEGKnxSt2Wo6I4PiJYls/qDs0m XMqIwtqStHF1uccgGqN/vMi0d9TdbZW+ahUPHi2BJoNuuB2ao5dZW+4ZdFv16/uw99qn B57xFohWqhY1uZAjWLRo5v4abof1kYTTKuxgVAznFXrNHDp5vr3emS8fljTwe0mOcI8A 7zzg== X-Gm-Message-State: AOAM53237Fsc8wQJxW3IXRq1PAQARWdwc0UDKyOMiEp1uF60+ddKHQtK 38oDNkDSzuB6s8EEcHEU74obbZKRqKeL8uHJVHH2JLJItEc5tTf6 X-Google-Smtp-Source: ABdhPJyAXktByKZyJaYn6z4W4F8nlVv1dQxTbP+rW1dv8sJC0Ic3Oq9vkRED8qooz+mTUzWy2Z9khwFRlfAwRN3kDGc= X-Received: by 2002:a17:906:814a:: with SMTP id z10mr1667979ejw.96.1606987967330; Thu, 03 Dec 2020 01:32:47 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: From: Dave Page Date: Thu, 3 Dec 2020 09:32:35 +0000 Message-ID: Subject: Re: SameSite issues in Safari Browser (reference #RM5975) To: Rahul Shirsat Cc: pgadmin-hackers Content-Type: multipart/alternative; boundary="000000000000f3933905b58c0a02" List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Precedence: bulk --000000000000f3933905b58c0a02 Content-Type: text/plain; charset="UTF-8" Hi Please check: https://www.pgadmin.org/faq/#13 On Thu, Dec 3, 2020 at 8:54 AM Rahul Shirsat wrote: > Dave, > > Please find below corrected faq details. > > Category : Troubleshooting > > Question : > When I set new tab settings for query tool or schema-diff, I get > "Connection to server lost" or "CSRF tokens do not match" on Safari > versions >= 12 > > Answer: >

This has been seen mostly on Safari browser versions >= 12. It's > reported that from v12 of CFNetwork/Safari/Webkit erroneously handle > "Samesite=none" as the equivalent of "Samesite=strict". It means, Safari > recognizes the SameSite option starting with version 12, but their > implementation has a bug: It interprets invalid values as if > SameSite=Strict had been specified, and for it only Strict and Lax are > valid values, as the older specification did not yet specify None

> >

To solve this issue, we need to override the SameSite security > settings, for this, create a file called config_system.py (for location to > create the file, refer The > config.py file). This file can be used to override any of the settings > in config.py (which shouldn't be edited). The config_system.py should have > the below code:

> > 
>     SESSION_COOKIE_SAMESITE = None
>     SESSION_COOKIE_SECURE = True
>
>

Note that these changes are not recommended, and we highly recommend > users to use a different browser until the issue gets resolved from > Apple. > > Removed the OS specific condition to make it generic for all distributions. > Added a warning note at the last of the faq. > > On Wed, Dec 2, 2020 at 4:33 PM Dave Page wrote: > >> Hi >> >> On Tue, Dec 1, 2020 at 5:51 PM Rahul Shirsat < >> rahul.shirsat@enterprisedb.com> wrote: >> >>> Hi Dave, >>> >>> Could you please add below FAQ point for SameSite Safari issue: >>> >>> Question : >>> When I set new tab settings for query tool or schema-diff, I get >>> "Connection to server lost" or "CSRF tokens do not match" on Safari >>> versions >= 12 >>> >>> Answer: >>>

This has been seen mostly on Safari browser versions >= 12. It's >>> reported that from v12 of CFNetwork/Safari/Webkit erroneously handle >>> "Samesite=none" as the equivalent of "Samesite=strict". It means, Safari >>> recognizes the SameSite option starting with version 12, but their >>> implementation has a bug: It interprets invalid values as if >>> SameSite=Strict had been specified, and for it only Strict and Lax are >>> valid values, as the older specification did not yet specify None

>>> >>>

To solve this issue, we need to override the SameSite security >>> settings, for this, create a file called config_system.py in the web/ >>> directory of the installation, alongside the existing config.py. This file >>> can be used to override any of the settings in config.py (which shouldn't >>> be edited). The config_system.py should have the below code:

>>> >> >> We could certainly add something like that, though, config_system.py >> doesn't go alongside config.py so that part of the text needs fixing. >> >> >>> >>> 
>>> import sys
>>>
>>> # Targeting only macOS
>>> if sys.platform.startswith('darwin'):
>>>     SESSION_COOKIE_SAMESITE = None
>>>     SESSION_COOKIE_SECURE = True
>>>
>>> >>> Do suggest or add any points if I am missing them. >>> >> >> And that is not going to work in Server mode, only Desktop. >> >> >> >>> >>> Also, let me know once this is done, So that I will close the ticket. >>> >>> -- >>> *Rahul Shirsat* >>> Senior Software Engineer | EnterpriseDB Corporation. >>> >>> On Mon, Nov 30, 2020 at 7:30 PM Rahul Shirsat < >>> rahul.shirsat@enterprisedb.com> wrote: >>> >>>> This was the part of our internal quality testing, where it got >>>> encountered. Currently, none of the users have complained about this on >>>> their specific browser versions. >>>> >>>> On Mon, Nov 30, 2020 at 5:12 PM Dave Page wrote: >>>> >>>>> Hi >>>>> >>>>> On Mon, Nov 30, 2020 at 7:12 AM Rahul Shirsat < >>>>> rahul.shirsat@enterprisedb.com> wrote: >>>>> >>>>>> Dave, >>>>>> >>>>>> There are issues discussed on Apple forums, check this out: >>>>>> >>>>>> https://developer.apple.com/forums/thread/129064 - The latest >>>>>> comment by the user here is one month ago, meaning the issue is still not >>>>>> fixed yet. >>>>>> https://developer.apple.com/forums/thread/658688 - Users facing this >>>>>> issue in v13.x >>>>>> >>>>>> Even webkit has confirmed about this issue : >>>>>> https://bugs.webkit.org/show_bug.cgi?id=198181 - Users facing this >>>>>> issue in v12.x >>>>>> >>>>> >>>>> In that case, I think the answer (for now at least) is an FAQ, >>>>> referencing those issues and explaining how to resolve the issue using >>>>> config_system.py or by using a different browser. >>>>> >>>>> Have we actually seen this issue in wild? >>>>> >>>>> >>>>> >>>>>> >>>>>> On Thu, Nov 26, 2020 at 6:57 PM Dave Page wrote: >>>>>> >>>>>>> Hi >>>>>>> >>>>>>> On Wed, Nov 25, 2020 at 10:37 AM Rahul Shirsat < >>>>>>> rahul.shirsat@enterprisedb.com> wrote: >>>>>>> >>>>>>>> Hi Dave, >>>>>>>> >>>>>>>> Due to SameSite security issues in Safari Browser, some of the >>>>>>>> pgadmin4 functionality isn't working (mostly the new tab functionality). >>>>>>>> >>>>>>>> The affected Safari Browser versions (marked in red) currently >>>>>>>> tested upon are: >>>>>>>> >>>>>>>> 1. v11.1.2 >>>>>>>> 2. v12.1 >>>>>>>> 3. v12.1.1 >>>>>>>> 4. 13.1 >>>>>>>> 5. 14.0.1 >>>>>>>> >>>>>>>> Since v12, Safari have done some security fixes, due to which this >>>>>>>> issue has occurred. Strangely, the issue is not reproducible on v13, but >>>>>>>> reproducible on its successor i.e. v14 >>>>>>>> >>>>>>>> Possible solutions could be: >>>>>>>> >>>>>>>> 1. Reporting this to Safari & raising an RM for tracking >>>>>>>> purposes. >>>>>>>> 2. Suggesting Safari users to make below changes in config.py >>>>>>>> or config_distro for the work around: >>>>>>>> >>>>>>>> *SESSION_COOKIE_SAMESITE = None* >>>>>>>> >>>>>>>> *SESSION_COOKIE_SECURE = True* >>>>>>>> (As we aren't going through any cross-site cookie transfer, this >>>>>>>> can be a handy option - but still risky..) >>>>>>>> >>>>>>>> I would suggest going with the 1st option or combination of both, >>>>>>>> but with caution. >>>>>>>> >>>>>>> >>>>>>> Others must have come across this issue already. Is it a known bug, >>>>>>> documented somewhere (ideally on apple.com)? >>>>>>> >>>>>>> -- >>>>>>> Dave Page >>>>>>> Blog: http://pgsnake.blogspot.com >>>>>>> Twitter: @pgsnake >>>>>>> >>>>>>> EDB: http://www.enterprisedb.com >>>>>>> >>>>>>> >>>>>> >>>>>> -- >>>>>> *Rahul Shirsat* >>>>>> Software Engineer | EnterpriseDB Corporation. >>>>>> >>>>> >>>>> >>>>> -- >>>>> Dave Page >>>>> Blog: http://pgsnake.blogspot.com >>>>> Twitter: @pgsnake >>>>> >>>>> EDB: http://www.enterprisedb.com >>>>> >>>>> >>>> >>>> -- >>>> *Rahul Shirsat* >>>> Software Engineer | EnterpriseDB Corporation. >>>> >>> >>> >>> -- >>> *Rahul Shirsat* >>> Software Engineer | EnterpriseDB Corporation. >>> >> >> >> -- >> Dave Page >> Blog: http://pgsnake.blogspot.com >> Twitter: @pgsnake >> >> EDB: http://www.enterprisedb.com >> >> > > -- > *Rahul Shirsat* > Software Engineer | EnterpriseDB Corporation. > -- Dave Page Blog: http://pgsnake.blogspot.com Twitter: @pgsnake EDB: http://www.enterprisedb.com --000000000000f3933905b58c0a02 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hi

<= br>
On Thu,= Dec 3, 2020 at 8:54 AM Rahul Shirsat <rahul.shirsat@enterprisedb.com> wrote:
Dave,
<= br>
Please find below corrected faq details.

Category : Troubleshooting

Question :=C2= =A0
When I set new tab settings for query tool or schema-diff, I = get "Connection to server lost" or "CSRF tokens do not match= " on Safari versions >=3D 12

Answer:
<p>This has been seen mostly on Safari browser versions >= =3D 12. It's reported that from v12 of CFNetwork/Safari/Webkit erroneou= sly handle "Samesite=3Dnone" as the equivalent of "Samesite= =3Dstrict". It means, Safari recognizes the SameSite option starting w= ith version 12, but their implementation has a bug: It interprets invalid v= alues as if SameSite=3DStrict had been specified, and for it only Strict an= d Lax are valid values, as the older specification did not yet specify None= </p>

<p>To solve this issue, we need to override the Sam= eSite security settings, for this, create a file called config_system.py (f= or location to create the file, refer <a href=3D"https://www.pgadmin.org/docs/pgadmin4/development/config_py.html"= ;>The config.py file</a>). This file can be used to override any o= f the settings in config.py (which shouldn't be edited). The config_sys= tem.py should have the below code:</p>

<pre>
=C2=A0 = =C2=A0 SESSION_COOKIE_SAMESITE =3D None
=C2=A0 =C2=A0 SESSION_COOKIE_SEC= URE =3D True
</pre>
<p><i>Note that these changes a= re not recommended, and we highly recommend users to use a different browse= r until the issue gets resolved from Apple.</i>
<= br>
Removed the OS specific condition to make it generic for all = distributions.
Added a warning note at the last of the faq.
=

On Wed, Dec 2, 2020 at 4:33 PM Dave Page <dpage@pgadmin.org> wrote:
Hi
On = Tue, Dec 1, 2020 at 5:51 PM Rahul Shirsat <rahul.shirsat@enterprisedb.com&g= t; wrote:
Hi Dave,

Could you please add belo= w FAQ point for SameSite Safari issue:

Question := =C2=A0
When I set new tab settings for query tool or schema-diff,= I get "Connection to server lost" or "CSRF tokens do not ma= tch" on Safari versions >=3D 12

Answer= :
<p>This has been seen mostly on Safari browser versions &= gt;=3D 12. It's reported that from v12 of CFNetwork/Safari/Webkit erron= eously handle "Samesite=3Dnone" as the equivalent of "Samesi= te=3Dstrict". It means, Safari recognizes the SameSite option starting= with version 12, but their implementation has a bug: It interprets invalid= values as if SameSite=3DStrict had been specified, and for it only Strict = and Lax are valid values, as the older specification did not yet specify No= ne</p>

<p>To solve this issue, we need to override the S= ameSite security settings, for this, create a file called config_system.py = in the web/ directory of the installation, alongside the existing config.py= . This file can be used to override any of the settings in config.py (which= shouldn't be edited). The config_system.py should have the below code:= </p>

We could certain= ly add something like that, though, config_system.py doesn't go alongsi= de config.py so that part of the text needs fixing.
=C2=A0
<= blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-l= eft:1px solid rgb(204,204,204);padding-left:1ex">

= <pre>
import sys

# Targeting only macOS
if sys.platform.= startswith('darwin'):
=C2=A0 =C2=A0 SESSION_COOKIE_SAMESITE =3D = None
=C2=A0 =C2=A0 SESSION_COOKIE_SECURE =3D True
</pre>
<= div>
Do suggest or add any points if I am missing them.
=

And that is not going to work in Ser= ver mode, only Desktop.

=C2=A0

Al= so, let me know once this is done, So that I will close the ticket.

--
Rahul Shirsat
Senior Software Engineer=C2=A0|=C2=A0EnterpriseDB=C2=A0= Corporation.

On Mon, Nov 30= , 2020 at 7:30 PM Rahul Shirsat <rahul.shirsat@enterprisedb.com> wrote:<= br>
This was the part of our internal quality testing, where it got encountere= d. Currently, none of the users have complained about this on their specifi= c browser versions.

On Mon, Nov 30, 2020 at 5:12 PM Dave Page <dpage@pgadmin.org> wrot= e:
Hi

On Mon, Nov 30, 2020 at 7:12 AM Rahul Shirsat <rahul.shirsat@enterpr= isedb.com> wrote:
Dave,

There are issues discu= ssed on Apple forums, check this out:

https://= developer.apple.com/forums/thread/129064=C2=A0- The latest comment by t= he user here is one month ago, meaning the issue is still not fixed yet.
https://developer.apple.com/forums/thread/658688=C2=A0-= Users facing this issue in v13.x=C2=A0

Even webki= t has confirmed about this issue :=C2=A0https://bugs.webkit.org/show_bu= g.cgi?id=3D198181=C2=A0- Users facing this issue in v12.x

In that case, I think the answer (for now at= least) is an FAQ, referencing those issues and explaining how to resolve t= he issue using config_system.py or by using a different browser.
=
Have we actually seen this issue in wild?

=C2=A0

On Thu, Nov = 26, 2020 at 6:57 PM Dave Page <dpage@pgadmin.org> wrote:
Hi
=
On Wed= , Nov 25, 2020 at 10:37 AM Rahul Shirsat <rahul.shirsat@enterprisedb.com>= ; wrote:
Hi Dave,

Due to SameSite security issues in Sa= fari=C2=A0Browser, some of the pgadmin4 functionality isn't working (mo= stly the new tab functionality).

The affected Safa= ri Browser versions (marked in red) currently tested upon are:
  • v11.1.2
  • v12.1
  • v12.1.1
  • 13.1<= /li>
  • 14.0.1
    • Since v12, Safa= ri have done some security fixes, due to which this issue has occurred. Str= angely, the issue is not reproducible on v13, but reproducible=C2=A0on its = successor i.e. v14

    Possible solutions could = be:
    1. Reporting this to Safari & raising an RM for trac= king purposes.
    2. Suggesting Safari users to make below changes in con= fig.py or config_distro for the work around:
    SESSION_COOKIE_SA= MESITE =3D None
    SESSION_COOKIE_SECURE =3D True

    (As we = aren't going through any cross-site cookie transfer, this can be a hand= y option - but still risky..)

    I would suggest goin= g with the 1st option or combination of both, but with caution.
    =

    Others must have come across this issue al= ready. Is it a known bug, documented somewhere (ideally on apple.com)?
    =C2=A0
    = --
    Dave Page
    Blog: http://pgsnake.blogspot.com<= br>Twitter: @pgsnake

    EDB: http://www.enterprisedb.com



    --
    Rahul Shirsat
    Software Engineer=C2= =A0|=C2=A0EnterpriseDB=C2=A0Corporation.


    --


    --
    Rahul Shirsat
    Software Engineer=C2= =A0|=C2=A0EnterpriseDB=C2=A0Corporation.


    --
    Rahul Shirsat
    Software Engineer=C2= =A0|=C2=A0EnterpriseDB=C2=A0Corporation.


    --


    --
    Rahul Shirsat
    Software Engineer=C2= =A0|=C2=A0EnterpriseDB=C2=A0Corporation.


    --
    --000000000000f3933905b58c0a02--