Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1kiHIw-0002Sn-RH for pgadmin-hackers@arkaria.postgresql.org; Thu, 26 Nov 2020 13:27:22 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.92) (envelope-from ) id 1kiHIv-000208-Nx for pgadmin-hackers@arkaria.postgresql.org; Thu, 26 Nov 2020 13:27:21 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1kiHIv-000201-Ic for pgadmin-hackers@lists.postgresql.org; Thu, 26 Nov 2020 13:27:21 +0000 Received: from mail-ed1-x534.google.com ([2a00:1450:4864:20::534]) by makus.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.92) (envelope-from ) id 1kiHIs-0007rj-Vl for pgadmin-hackers@postgresql.org; Thu, 26 Nov 2020 13:27:20 +0000 Received: by mail-ed1-x534.google.com with SMTP id a15so2306036edy.1 for ; Thu, 26 Nov 2020 05:27:18 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pgadmin.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=am4h40b6ZW+RgJIF8ri3X+4YYDnS75w+BzOAKaX29Bs=; b=Gf3+l1/qDiSKLP8RXS7CnIc/zhgSpdUdo6Io+8UmD0qsNO7YWPdeXx5EgYaqJi7+kC gPgpRI/zQDOo0/rlxS+JML4mRsYO2ozsFIY5WN3JAuuAp3vFMjzAZcmkCIIVstzyILi7 oRqX1iIYkbPkmfZqZWZdGcHVyYy86CDWe+Tt5JYWo/nuJjtewaN98XpagIdZDbBYfIod JASd21Ulial3nc6tskNodlRyLAMllWUQm46kC1h5tVh5OgJp+brQLkhbxJqEjiKfiVpq Xh5flyo8hlR1YUXK+CvHw8bBbh2yOHLfz96jIFw1YA5I//4HwNlGTeZmlifkpH7b2LHi sOYg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=am4h40b6ZW+RgJIF8ri3X+4YYDnS75w+BzOAKaX29Bs=; b=d9+EnE3nLhxipZQCDVjxKHpvod/1NCL61kpBbEq/lS9Tlzdsob7HwqU1Bcu+MVJELv yJA3vKgW7qAAC3rHZqMz9/nx75K5InFW9ezwmAeDU+8XJw0kCKv0dc5kYpfNWaLK/5ys 5uiYrPJa6+4Vi0c6NuAkWg3ae++kXMrHFFSIzTxoLzV2aE1supouO6rKk5inIXqr/Rx4 LmhMNmlWXMLYnZsT8Euf77WPD4dxprGLvj5T2DxiPQTQQiiznKqH/08C9IqRWvvWEcYV bql6RaZly1ORzoOUbWXLxc0FKon2ZMqVbaLCecJ16NLlOZr5WXty+RjOfzoJUBMdGLnV Tndg== X-Gm-Message-State: AOAM530oKU1jUYJpHQFhrXYWBH+BSsBYTjALyaTeFlrr+NwHBIediydQ T/875YPcO5asemdw/WGfW66TooDoFeLa2Li5baGb0A== X-Google-Smtp-Source: ABdhPJzkPPGio7FtKdiKS4DWbEcwAe3WQSRDfWBINZ6pwRqs195vcnnsUVmr5f13bb2sspHQfrhvsMwhpQIoIMn4S48= X-Received: by 2002:a05:6402:491:: with SMTP id k17mr2581985edv.370.1606397237364; Thu, 26 Nov 2020 05:27:17 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: From: Dave Page Date: Thu, 26 Nov 2020 13:27:06 +0000 Message-ID: Subject: Re: SameSite issues in Safari Browser (reference #RM5975) To: Rahul Shirsat Cc: pgadmin-hackers Content-Type: multipart/alternative; boundary="000000000000b3a76105b502806c" List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Precedence: bulk --000000000000b3a76105b502806c Content-Type: text/plain; charset="UTF-8" Hi On Wed, Nov 25, 2020 at 10:37 AM Rahul Shirsat < rahul.shirsat@enterprisedb.com> wrote: > Hi Dave, > > Due to SameSite security issues in Safari Browser, some of the pgadmin4 > functionality isn't working (mostly the new tab functionality). > > The affected Safari Browser versions (marked in red) currently tested upon > are: > > 1. v11.1.2 > 2. v12.1 > 3. v12.1.1 > 4. 13.1 > 5. 14.0.1 > > Since v12, Safari have done some security fixes, due to which this issue > has occurred. Strangely, the issue is not reproducible on v13, but > reproducible on its successor i.e. v14 > > Possible solutions could be: > > 1. Reporting this to Safari & raising an RM for tracking purposes. > 2. Suggesting Safari users to make below changes in config.py or > config_distro for the work around: > > *SESSION_COOKIE_SAMESITE = None* > > *SESSION_COOKIE_SECURE = True* > (As we aren't going through any cross-site cookie transfer, this can be a > handy option - but still risky..) > > I would suggest going with the 1st option or combination of both, but with > caution. > Others must have come across this issue already. Is it a known bug, documented somewhere (ideally on apple.com)? -- Dave Page Blog: http://pgsnake.blogspot.com Twitter: @pgsnake EDB: http://www.enterprisedb.com --000000000000b3a76105b502806c Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hi

On Wed, Nov 25, 2020 at 10:37 AM Rahul = Shirsat <rahul.shirsat= @enterprisedb.com> wrote:
Hi Dave,

Due to SameSi= te security issues in Safari=C2=A0Browser, some of the pgadmin4 functionali= ty isn't working (mostly the new tab functionality).

The affected Safari Browser versions (marked in red) currently teste= d upon are:
  1. v11.1.2
  2. v12.1=
  3. v12.1.1
  4. 13.1
  5. 14.0.1
    6. =
Since v12, Safari have done some security fixes, due to which thi= s issue has occurred. Strangely, the issue is not reproducible on v13, but = reproducible=C2=A0on its successor i.e. v14

= Possible solutions could be:
  1. Reporting this to Safari &am= p; raising an RM for tracking purposes.
  2. Suggesting Safari users to = make below changes in config.py or config_distro for the work around:
    3. <= /ol>
SESSION_COOKIE_SAMESITE =3D None
SESSION_COOKIE_SECURE = =3D True

(As we aren't going through any cross-site cookie t= ransfer, this can be a handy option - but still risky..)

I would suggest going with the 1st option or combination of both, bu= t with caution.

Others must hav= e come across this issue already. Is it a known bug, documented somewhere (= ideally on apple.com)?
=C2=A0
--
--000000000000b3a76105b502806c--