Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1kkPvV-0006FB-8h for pgadmin-hackers@arkaria.postgresql.org; Wed, 02 Dec 2020 11:04:01 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.92) (envelope-from ) id 1kkPvT-0000V3-Sw for pgadmin-hackers@arkaria.postgresql.org; Wed, 02 Dec 2020 11:03:59 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1kkPvS-0000Uw-Ts for pgadmin-hackers@lists.postgresql.org; Wed, 02 Dec 2020 11:03:59 +0000 Received: from mail-ej1-x62b.google.com ([2a00:1450:4864:20::62b]) by magus.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.92) (envelope-from ) id 1kkPvO-0001M8-NL for pgadmin-hackers@postgresql.org; Wed, 02 Dec 2020 11:03:58 +0000 Received: by mail-ej1-x62b.google.com with SMTP id qw4so3393371ejb.12 for ; Wed, 02 Dec 2020 03:03:54 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pgadmin.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=o3mYEH6iTWwRyeeGIfISJ4jx9SpfVONfuIDV/Q8mB60=; b=MMJ67iIdc9Klb/1mNbTwMsodwSZyYl8/k2iihKqa+OKJPCY7Oe4QJa4YdnZZlcCEPq dEfc4aYER3zL3FjNbvS5qIiK+lvJ/cRwmY9qp6TlmGV4f9I4G0NGprYKeTA419BZ4zSA Fx8vugWJ45HX8haBpq3gTAj0kxPPcdSbLUMA5pnHRclSih8jX6KNmS7dsJ/FwUg5w7SU eS6p4zrdRkYmzbuXcH3T3Qw7lS8oZBarqFY460UNIm746XfqwIub2lYEcpHaUfB6cJZG PpWO5KcTyRI/Fc+yaf1rr/42CC/tKHGXhB1vjJm02EjZoyn6zGrO05QB/lWj0FJglO26 MTUg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=o3mYEH6iTWwRyeeGIfISJ4jx9SpfVONfuIDV/Q8mB60=; b=Pf7ybhYr2WFsZkzyjcea7A45YWm78aphgSlqCwp5be0ivjhTUVANYtoLhqXT+u2j+w 2LVsNvR0cpZ0LMCplVfYGLogVo/SGPvLMBDA9XBFiMxSdkEDus54Duog2o3b272KPhbs LBYqZkFg0GUQGlXXmBNQ/l2hO//iq44embljET41lR1G4B8dsUaJnhrdkiEHlPvCgvte YT4A5YLOY0l6vlOWVhS2bppe3/7spznf7iz9p+nES22FG5aY1ISw46+3J1f7G2sYpN/j mXGk+voumKE+Z7rLyguBU97YXVXqeWZJE53XUp5oFPOgfBCIK8vqj8jBBp+a3Et/63ZJ p7LA== X-Gm-Message-State: AOAM530+AFDx7j84lm+3auW9okCcd0WiCBdY6X5GahwRuVW15rYfs5I4 EhWf4rw2RIvttlWf7YlDb/5ikjb17klGxlnUKNO0YGI2Ix9pFw== X-Google-Smtp-Source: ABdhPJxJzl/QhJvT6P8FBFB69ppOxUw+DjaskRuHzlRY90QOUtoSH+r9m+8a40RBVBIo4bTa52I6zTmGhpugCq2RdlU= X-Received: by 2002:a17:906:4348:: with SMTP id z8mr1782131ejm.119.1606907033324; Wed, 02 Dec 2020 03:03:53 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: From: Dave Page Date: Wed, 2 Dec 2020 11:03:42 +0000 Message-ID: Subject: Re: SameSite issues in Safari Browser (reference #RM5975) To: Rahul Shirsat Cc: pgadmin-hackers Content-Type: multipart/alternative; boundary="000000000000e8a6e405b57932fa" List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Precedence: bulk --000000000000e8a6e405b57932fa Content-Type: text/plain; charset="UTF-8" Hi On Tue, Dec 1, 2020 at 5:51 PM Rahul Shirsat wrote: > Hi Dave, > > Could you please add below FAQ point for SameSite Safari issue: > > Question : > When I set new tab settings for query tool or schema-diff, I get > "Connection to server lost" or "CSRF tokens do not match" on Safari > versions >= 12 > > Answer: >

This has been seen mostly on Safari browser versions >= 12. It's > reported that from v12 of CFNetwork/Safari/Webkit erroneously handle > "Samesite=none" as the equivalent of "Samesite=strict". It means, Safari > recognizes the SameSite option starting with version 12, but their > implementation has a bug: It interprets invalid values as if > SameSite=Strict had been specified, and for it only Strict and Lax are > valid values, as the older specification did not yet specify None

> >

To solve this issue, we need to override the SameSite security > settings, for this, create a file called config_system.py in the web/ > directory of the installation, alongside the existing config.py. This file > can be used to override any of the settings in config.py (which shouldn't > be edited). The config_system.py should have the below code:

> We could certainly add something like that, though, config_system.py doesn't go alongside config.py so that part of the text needs fixing. > > 
> import sys
>
> # Targeting only macOS
> if sys.platform.startswith('darwin'):
>     SESSION_COOKIE_SAMESITE = None
>     SESSION_COOKIE_SECURE = True
>
> > Do suggest or add any points if I am missing them. > And that is not going to work in Server mode, only Desktop. > > Also, let me know once this is done, So that I will close the ticket. > > -- > *Rahul Shirsat* > Senior Software Engineer | EnterpriseDB Corporation. > > On Mon, Nov 30, 2020 at 7:30 PM Rahul Shirsat < > rahul.shirsat@enterprisedb.com> wrote: > >> This was the part of our internal quality testing, where it got >> encountered. Currently, none of the users have complained about this on >> their specific browser versions. >> >> On Mon, Nov 30, 2020 at 5:12 PM Dave Page wrote: >> >>> Hi >>> >>> On Mon, Nov 30, 2020 at 7:12 AM Rahul Shirsat < >>> rahul.shirsat@enterprisedb.com> wrote: >>> >>>> Dave, >>>> >>>> There are issues discussed on Apple forums, check this out: >>>> >>>> https://developer.apple.com/forums/thread/129064 - The latest comment >>>> by the user here is one month ago, meaning the issue is still not fixed yet. >>>> https://developer.apple.com/forums/thread/658688 - Users facing this >>>> issue in v13.x >>>> >>>> Even webkit has confirmed about this issue : >>>> https://bugs.webkit.org/show_bug.cgi?id=198181 - Users facing this >>>> issue in v12.x >>>> >>> >>> In that case, I think the answer (for now at least) is an FAQ, >>> referencing those issues and explaining how to resolve the issue using >>> config_system.py or by using a different browser. >>> >>> Have we actually seen this issue in wild? >>> >>> >>> >>>> >>>> On Thu, Nov 26, 2020 at 6:57 PM Dave Page wrote: >>>> >>>>> Hi >>>>> >>>>> On Wed, Nov 25, 2020 at 10:37 AM Rahul Shirsat < >>>>> rahul.shirsat@enterprisedb.com> wrote: >>>>> >>>>>> Hi Dave, >>>>>> >>>>>> Due to SameSite security issues in Safari Browser, some of the >>>>>> pgadmin4 functionality isn't working (mostly the new tab functionality). >>>>>> >>>>>> The affected Safari Browser versions (marked in red) currently tested >>>>>> upon are: >>>>>> >>>>>> 1. v11.1.2 >>>>>> 2. v12.1 >>>>>> 3. v12.1.1 >>>>>> 4. 13.1 >>>>>> 5. 14.0.1 >>>>>> >>>>>> Since v12, Safari have done some security fixes, due to which this >>>>>> issue has occurred. Strangely, the issue is not reproducible on v13, but >>>>>> reproducible on its successor i.e. v14 >>>>>> >>>>>> Possible solutions could be: >>>>>> >>>>>> 1. Reporting this to Safari & raising an RM for tracking purposes. >>>>>> 2. Suggesting Safari users to make below changes in config.py or >>>>>> config_distro for the work around: >>>>>> >>>>>> *SESSION_COOKIE_SAMESITE = None* >>>>>> >>>>>> *SESSION_COOKIE_SECURE = True* >>>>>> (As we aren't going through any cross-site cookie transfer, this can >>>>>> be a handy option - but still risky..) >>>>>> >>>>>> I would suggest going with the 1st option or combination of both, but >>>>>> with caution. >>>>>> >>>>> >>>>> Others must have come across this issue already. Is it a known bug, >>>>> documented somewhere (ideally on apple.com)? >>>>> >>>>> -- >>>>> Dave Page >>>>> Blog: http://pgsnake.blogspot.com >>>>> Twitter: @pgsnake >>>>> >>>>> EDB: http://www.enterprisedb.com >>>>> >>>>> >>>> >>>> -- >>>> *Rahul Shirsat* >>>> Software Engineer | EnterpriseDB Corporation. >>>> >>> >>> >>> -- >>> Dave Page >>> Blog: http://pgsnake.blogspot.com >>> Twitter: @pgsnake >>> >>> EDB: http://www.enterprisedb.com >>> >>> >> >> -- >> *Rahul Shirsat* >> Software Engineer | EnterpriseDB Corporation. >> > > > -- > *Rahul Shirsat* > Software Engineer | EnterpriseDB Corporation. > -- Dave Page Blog: http://pgsnake.blogspot.com Twitter: @pgsnake EDB: http://www.enterprisedb.com --000000000000e8a6e405b57932fa Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hi

On Tue, Dec 1, 2020 at 5:51 PM Rahul Shirsat <rahul.shirsat@enterprisedb.= com> wrote:
Hi Dave,

Could you please= add below FAQ point for SameSite Safari issue:

Qu= estion :=C2=A0
When I set new tab settings for query tool or sche= ma-diff, I get "Connection to server lost" or "CSRF tokens d= o not match" on Safari versions >=3D 12

Answer:
<p>This has been seen mostly on Safari browser ve= rsions >=3D 12. It's reported that from v12 of CFNetwork/Safari/Webk= it erroneously handle "Samesite=3Dnone" as the equivalent of &quo= t;Samesite=3Dstrict". It means, Safari recognizes the SameSite option = starting with version 12, but their implementation has a bug: It interprets= invalid values as if SameSite=3DStrict had been specified, and for it only= Strict and Lax are valid values, as the older specification did not yet sp= ecify None</p>

<p>To solve this issue, we need to overri= de the SameSite security settings, for this, create a file called config_sy= stem.py in the web/ directory of the installation, alongside the existing c= onfig.py. This file can be used to override any of the settings in config.p= y (which shouldn't be edited). The config_system.py should have the bel= ow code:</p>

We could= certainly add something like that, though, config_system.py doesn't go= alongside config.py so that part of the text needs fixing.
=C2= =A0

<pre>
import sys

# Targeting only macOS
if sys= .platform.startswith('darwin'):
=C2=A0 =C2=A0 SESSION_COOKIE_SAM= ESITE =3D None
=C2=A0 =C2=A0 SESSION_COOKIE_SECURE =3D True
</pre&= gt;

Do suggest or add any points if I am missing t= hem.

And that is not going to w= ork in Server mode, only Desktop.

=C2=A0

Also, let me know once this is done, So that I will close the ticke= t.

--
<= div dir=3D"ltr">
Rahul Shirsat
Senior Software Engineer=C2=A0|=C2=A0Enterpri= seDB=C2=A0Corporation.

On M= on, Nov 30, 2020 at 7:30 PM Rahul Shirsat <rahul.shirsat@enterprisedb.com&g= t; wrote:
This was the part of our internal quality testing, where it got = encountered. Currently, none of the users have complained about this on the= ir specific browser versions.

On Mon, Nov 30, 2020 at 5:12 PM Dave Page <= ;dpage@pgadmin.org> wrote:
Hi

On Mon, Nov 30, 2020 at 7:12 AM Rahul Shirsat <rahul.shir= sat@enterprisedb.com> wrote:
Dave,

There are iss= ues discussed on Apple forums, check this out:

https://developer.apple.com/forums/thread/129064=C2=A0- The latest com= ment by the user here is one month ago, meaning the issue is still not fixe= d yet.


In that case, I think the answer (f= or now at least) is an FAQ, referencing those issues and explaining how to = resolve the issue using config_system.py or by using a different browser.

Have we actually seen this issue in wild?

=C2=A0

On = Thu, Nov 26, 2020 at 6:57 PM Dave Page <dpage@pgadmin.org> wrote:
H= i

On Wed, Nov 25, 2020 at 10:37 AM Rahul Shirsat <rahul.shirsat@enterprisedb.com= > wrote:
=
Hi Dave,

Due to SameSite security issue= s in Safari=C2=A0Browser, some of the pgadmin4 functionality isn't work= ing (mostly the new tab functionality).

The affect= ed Safari Browser versions (marked in red) currently tested upon are:
=
  1. v11.1.2
  2. v12.1
  3. <= font color=3D"#ff0000">v12.1.1
  4. 13.1<= /font>
  5. 14.0.1
Since v1= 2, Safari have done some security fixes, due to which this issue has occurr= ed. Strangely, the issue is not reproducible on v13, but reproducible=C2=A0= on its successor i.e. v14

Possible solutions= could be:
  1. Reporting this to Safari & raising an RM f= or tracking purposes.
  2. Suggesting Safari users to make below changes= in config.py or config_distro for the work around:
SESSION_CO= OKIE_SAMESITE =3D None
SESSION_COOKIE_SECURE =3D True

= (As we aren't going through any cross-site cookie transfer, this can be= a handy option - but still risky..)

I would sugge= st going with the 1st option or combination of both, but with caution.

Others must have come across this i= ssue already. Is it a known bug, documented somewhere (ideally on apple.com)?
=C2=A0
--


--
Rahul Shirsat
Software Engineer=C2= =A0|=C2=A0EnterpriseDB=C2=A0Corporation.


--


--
Rahul Shirsat
Software Engineer=C2= =A0|=C2=A0EnterpriseDB=C2=A0Corporation.


--
Rahul Shirsat
Software Engineer=C2= =A0|=C2=A0EnterpriseDB=C2=A0Corporation.


--
--000000000000e8a6e405b57932fa--