Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1kjhZu-00049x-QV for pgadmin-hackers@arkaria.postgresql.org; Mon, 30 Nov 2020 11:42:46 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.92) (envelope-from ) id 1kjhZt-0003cC-JE for pgadmin-hackers@arkaria.postgresql.org; Mon, 30 Nov 2020 11:42:45 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1kjhZt-0003c5-Cs for pgadmin-hackers@lists.postgresql.org; Mon, 30 Nov 2020 11:42:45 +0000 Received: from mail-ej1-x62b.google.com ([2a00:1450:4864:20::62b]) by magus.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.92) (envelope-from ) id 1kjhZq-00027q-P2 for pgadmin-hackers@postgresql.org; Mon, 30 Nov 2020 11:42:45 +0000 Received: by mail-ej1-x62b.google.com with SMTP id 7so21222463ejm.0 for ; Mon, 30 Nov 2020 03:42:42 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pgadmin.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=7uwIuD9SiSryZIyHPMXvNGRkoE0hPm3e//YmzuA3NUg=; b=nd/bQwZPm5ZBxrpGPC2a/ebLDRiq9tlMj2wxusHr3ZpzistO9Cscu1r/0maiB+lgpJ QNmfT9JqMs+LXwjT4f4tqBdwpz61Awd55+pKNM6lHlk+E1GLvSoL6/1xwPMlOjbbCLUs go2i4AD5upAJaRvzi3oqpZboPa33DuhEZfylWSq3CeGSVLRA4/atm+qUbZB/w2zG7j1W IA2Rno8R2abUjKTNf+0gEPVbmjOvbqz2kh0A1y0NlsNAvm4GTpTE4Ap496TegQWQUWcs nQnYKhlZ2GPawIB5ZguuXA5FZnbVVVfoCtCeq4sSd9wNtGAh+s54NNKep5tLpp4jIR5D CAsg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=7uwIuD9SiSryZIyHPMXvNGRkoE0hPm3e//YmzuA3NUg=; b=EHVGwI7aEMwZsFk0tObRqFsdGgmEyHdvhLS8iqv4qo7oaSH4tQHNGno0Tr78slWWGJ sAZ5jXTjamhgRWhzpPTn4/VGi9tJI7oK8Q82bRaWcwOhKJD8CZJXSIsAbSykrAfBlFuR qqg+K5rJP68iNmAXVViSO0foM7e1w2UvHVtQsOEbjrgXRErbEvxeAH2EkBhXr8bids4x Om0018prA6JdNnapxfK3G2iwUh6DpxdhfbInYanlMAV++SEDkWt0gH/ZbQj97nM2cBOd j1+QjZnFMTu8yX7Un7SvBoc1qDhcGXmhAXm43nYCHcn2MdQiMN/69Tz4a2EkvQjj6FlV mEXA== X-Gm-Message-State: AOAM530XtCCGtoJkJr2GXfzZ59hqxtrDSC38uRoyIMZbV08Sc3xvWXL5 oHEVzowuUyz0zjSOdET3UhE4dHzh2sioUWU+x8nskA== X-Google-Smtp-Source: ABdhPJym1BqrLPoLa73HwRNC0hOUMLu12yuGV4RYYv/rBJ6EVUDxQLySSoizQLNBwE7BGP2feswzfqWp6nMaE5bfymg= X-Received: by 2002:a17:907:3e85:: with SMTP id hs5mr20793585ejc.548.1606736561345; Mon, 30 Nov 2020 03:42:41 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: From: Dave Page Date: Mon, 30 Nov 2020 11:42:30 +0000 Message-ID: Subject: Re: SameSite issues in Safari Browser (reference #RM5975) To: Rahul Shirsat Cc: pgadmin-hackers Content-Type: multipart/alternative; boundary="000000000000fcd09105b55181dd" List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Precedence: bulk --000000000000fcd09105b55181dd Content-Type: text/plain; charset="UTF-8" Hi On Mon, Nov 30, 2020 at 7:12 AM Rahul Shirsat < rahul.shirsat@enterprisedb.com> wrote: > Dave, > > There are issues discussed on Apple forums, check this out: > > https://developer.apple.com/forums/thread/129064 - The latest comment by > the user here is one month ago, meaning the issue is still not fixed yet. > https://developer.apple.com/forums/thread/658688 - Users facing this > issue in v13.x > > Even webkit has confirmed about this issue : > https://bugs.webkit.org/show_bug.cgi?id=198181 - Users facing this issue > in v12.x > In that case, I think the answer (for now at least) is an FAQ, referencing those issues and explaining how to resolve the issue using config_system.py or by using a different browser. Have we actually seen this issue in wild? > > On Thu, Nov 26, 2020 at 6:57 PM Dave Page wrote: > >> Hi >> >> On Wed, Nov 25, 2020 at 10:37 AM Rahul Shirsat < >> rahul.shirsat@enterprisedb.com> wrote: >> >>> Hi Dave, >>> >>> Due to SameSite security issues in Safari Browser, some of the pgadmin4 >>> functionality isn't working (mostly the new tab functionality). >>> >>> The affected Safari Browser versions (marked in red) currently tested >>> upon are: >>> >>> 1. v11.1.2 >>> 2. v12.1 >>> 3. v12.1.1 >>> 4. 13.1 >>> 5. 14.0.1 >>> >>> Since v12, Safari have done some security fixes, due to which this issue >>> has occurred. Strangely, the issue is not reproducible on v13, but >>> reproducible on its successor i.e. v14 >>> >>> Possible solutions could be: >>> >>> 1. Reporting this to Safari & raising an RM for tracking purposes. >>> 2. Suggesting Safari users to make below changes in config.py or >>> config_distro for the work around: >>> >>> *SESSION_COOKIE_SAMESITE = None* >>> >>> *SESSION_COOKIE_SECURE = True* >>> (As we aren't going through any cross-site cookie transfer, this can be >>> a handy option - but still risky..) >>> >>> I would suggest going with the 1st option or combination of both, but >>> with caution. >>> >> >> Others must have come across this issue already. Is it a known bug, >> documented somewhere (ideally on apple.com)? >> >> -- >> Dave Page >> Blog: http://pgsnake.blogspot.com >> Twitter: @pgsnake >> >> EDB: http://www.enterprisedb.com >> >> > > -- > *Rahul Shirsat* > Software Engineer | EnterpriseDB Corporation. > -- Dave Page Blog: http://pgsnake.blogspot.com Twitter: @pgsnake EDB: http://www.enterprisedb.com --000000000000fcd09105b55181dd Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hi

On Mon, Nov 30, 2020 at 7:12 AM Rahul Shirsat <<= a href=3D"mailto:rahul.shirsat@enterprisedb.com">rahul.shirsat@enterprisedb= .com> wrote:
Dave,

There are issues discussed on= Apple forums, check this out:

https://develop= er.apple.com/forums/thread/129064=C2=A0- The latest comment by the user= here is one month ago, meaning the issue is still not fixed yet.
=
https://developer.apple.com/forums/thread/658688=C2=A0- Users = facing this issue in v13.x=C2=A0

Even webkit has c= onfirmed about this issue :=C2=A0https://bugs.webkit.org/show_bug.cgi?i= d=3D198181=C2=A0- Users facing this issue in v12.x

In that case, I think the answer (for now at least)= is an FAQ, referencing those issues and explaining how to resolve the issu= e using config_system.py or by using a different browser.

Have we actually seen this issue in wild?

= =C2=A0

On Thu, Nov 26, 202= 0 at 6:57 PM Dave Page <dpage@pgadmin.org> wrote:
Hi

On Wed, Nov 25,= 2020 at 10:37 AM Rahul Shirsat <rahul.shirsat@enterprisedb.com> wrote:<= br>
Hi Dave,

Due to SameSite security issues in Safari=C2= =A0Browser, some of the pgadmin4 functionality isn't working (mostly th= e new tab functionality).

The affected Safari Brow= ser versions (marked in red) currently tested upon are:
  1. v= 11.1.2
  2. v12.1
  3. v12.1.1
  4. 13.1
    5. 14.0.1
Since v12, Safari have= done some security fixes, due to which this issue has occurred. Strangely,= the issue is not reproducible on v13, but reproducible=C2=A0on its success= or i.e. v14

Possible solutions could be:
  1. Reporting this to Safari & raising an RM for tracking pu= rposes.
  2. Suggesting Safari users to make below changes in config.py = or config_distro for the work around:
SESSION_COOKIE_SAMESITE = =3D None
SESSION_COOKIE_SECURE =3D True

(As we aren= 9;t going through any cross-site cookie transfer, this can be a handy optio= n - but still risky..)

I would suggest going with = the 1st option or combination of both, but with caution.

Others must have come across this issue already. = Is it a known bug, documented somewhere (ideally on apple.com)?
=C2=A0
--
=
Dave Page
Blog: http://pgsnake.blogspot.com
Twit= ter: @pgsnake

EDB: http://www.enterprisedb.com



--
Rahul Shirsat
Software Engineer=C2= =A0|=C2=A0EnterpriseDB=C2=A0Corporation.


--
--000000000000fcd09105b55181dd--