Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1kiCyw-0007HH-7b for pgadmin-hackers@arkaria.postgresql.org; Thu, 26 Nov 2020 08:50:26 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.92) (envelope-from ) id 1kiCyv-0005CH-3L for pgadmin-hackers@arkaria.postgresql.org; Thu, 26 Nov 2020 08:50:25 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1kiCyu-0005Bb-QI for pgadmin-hackers@lists.postgresql.org; Thu, 26 Nov 2020 08:50:24 +0000 Received: from mail-ua1-x929.google.com ([2607:f8b0:4864:20::929]) by makus.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.92) (envelope-from ) id 1kiCyr-0005jp-Mb for pgadmin-hackers@postgresql.org; Thu, 26 Nov 2020 08:50:23 +0000 Received: by mail-ua1-x929.google.com with SMTP id q68so322848uaq.3 for ; Thu, 26 Nov 2020 00:50:21 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=enterprisedb-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=lUprIGQHx0sfbpb41XMteLQyGDx1m6fkV6TUzFWJFkA=; b=iHNaTTIM3DG2Y/P7O5FOGd+EdbmikMMRBz/ngB1ZisZeBCmrWWoZcz7vmSo2pj+naU l1lDGIFsNU0fqJwvlml47xNsCy6f2NzOEzvbNxVGG+TFuEtb5ChIoTXxu4X7qQTWdO0d qTtzsvwPr4KDH/BboDbwI9ONUMXqB61QJhqbMIXaNNrgynzH2PG2R8IIoV1YQBsRmdhn ydpB1CiAjVQs8JWevbBUe6Yr1ANofF6QqSCRGvzt8F9wjCYFEGKOoPndco0zR5v//brM jWVSgPa7FPsCNbSzRFga+7ry/Jkb9pdiWLZDQSo6acTeezvZdiMoA+L6ly387Ex63muH ztCg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=lUprIGQHx0sfbpb41XMteLQyGDx1m6fkV6TUzFWJFkA=; b=iIbANXu3Ao6ERa0ZmwbSWntFXxX8Z/BUqc7qoQezf9eBdSoB2tbQ6TRWUd6m8K46vD jcQ5z+3xSNnRKdyQMkoXehVbKZ9/60CXqfzzv01cF+12whee64QWlzkvc04efaRI8uON MBcTH9/GYylvfrL3BZcYNJtjiNVyF1CPOp0hqEBMJ8NDD2Neo0AVBrMwgAp6uiM71WlW FK8E9tR5FOmJZcFGr+6Ry0AOAQwwheDhCV8dDtCllr/DmPuT1mxGVB6mWBd8QztIriq6 Xjgvzc/2M7fn6h+bOfIx/o60Emb0PS0/jLTFYH5rCOiFHKjc7FLyi4gpf30LKRd1kt4m GlDQ== X-Gm-Message-State: AOAM532563vdrL7nq2n4Jxe9fY6AYyNSDRYRqPqYpHWu+yRBFPYko2iQ SqyoxK9N9sPhi5D9PPIA/y9MYH58S65ewlTVOJxmDx60a6uNRDYgd7aYucKVJCrheB4+CsfkQq1 2uKIsC+VvmQ+OJ314ItBEIi+1tUnuX+qrgIbR2JPzQFGNfTZxLdK+jB2oxVurZZkfcqIu+8R5H1 SrWP8yk11gqC/v+FpX43dKYqkAqRGUY2f3epXcqddgxueztBeG7GK4ygIkvQ== X-Google-Smtp-Source: ABdhPJxVVpldCAUQWCFN6qwQdL1SAsUcFaaaZfy3lG7VzGBfD1HimtrrOjiclrvnoG854LSaKWM1LQY4QTYnVQCZY/c= X-Received: by 2002:ab0:3ef:: with SMTP id 102mr1165781uau.38.1606380620459; Thu, 26 Nov 2020 00:50:20 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: From: Ashesh Vashi Date: Thu, 26 Nov 2020 14:20:09 +0530 Message-ID: Subject: Re: SameSite issues in Safari Browser (reference #RM5975) To: Rahul Shirsat Cc: Akshay Joshi , pgadmin-hackers Content-Type: multipart/alternative; boundary="00000000000041c6b905b4fea217" X-CLOUD-SEC-AV-Info: enterprisedb,google_mail,monitor X-CLOUD-SEC-AV-Sent: true X-Gm-Spam: 0 X-Gm-Phishy: 0 List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Precedence: bulk --00000000000041c6b905b4fea217 Content-Type: text/plain; charset="UTF-8" On Thu, Nov 26, 2020 at 1:33 PM Rahul Shirsat < rahul.shirsat@enterprisedb.com> wrote: > Yes Akshay. > > I think we should go ahead adding this approach in the pgadmin faqs, we > would not be fixing this in our code as we don't know when Apple would fix > its issue. > Or, add these configs in the config_distro.py for Mac packages. -- Ashesh > > On Thu, Nov 26, 2020 at 11:27 AM Akshay Joshi < > akshay.joshi@enterprisedb.com> wrote: > >> Hi Rahul >> >> On Wed, Nov 25, 2020 at 4:07 PM Rahul Shirsat < >> rahul.shirsat@enterprisedb.com> wrote: >> >>> Hi Dave, >>> >>> Due to SameSite security issues in Safari Browser, some of the pgadmin4 >>> functionality isn't working (mostly the new tab functionality). >>> >>> The affected Safari Browser versions (marked in red) currently tested >>> upon are: >>> >>> 1. v11.1.2 >>> 2. v12.1 >>> 3. v12.1.1 >>> 4. 13.1 >>> 5. 14.0.1 >>> >>> Since v12, Safari have done some security fixes, due to which this issue >>> has occurred. Strangely, the issue is not reproducible on v13, but >>> reproducible on its successor i.e. v14 >>> >>> Possible solutions could be: >>> >>> 1. Reporting this to Safari & raising an RM for tracking purposes. >>> 2. Suggesting Safari users to make below changes in config.py or >>> config_distro for the work around: >>> >>> *SESSION_COOKIE_SAMESITE = None* >>> >>> *SESSION_COOKIE_SECURE = True* >>> (As we aren't going through any cross-site cookie transfer, this can be >>> a handy option - but still risky..) >>> >>> I would suggest going with the 1st option or combination of both, but >>> with caution. >>> >> >> In my opinion, we should go with both the options, as we have added >> the above settings for security purposes. >> >>> >>> -- >>> *Rahul Shirsat* >>> Software Engineer | EnterpriseDB Corporation. >>> >> >> >> -- >> *Thanks & Regards* >> *Akshay Joshi* >> *pgAdmin Hacker | Principal Software Architect* >> *EDB Postgres * >> >> *Mobile: +91 976-788-8246* >> > > > -- > *Rahul Shirsat* > Software Engineer | EnterpriseDB Corporation. > --00000000000041c6b905b4fea217 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
On Thu, Nov 26, 2020 at 1:33 PM Rahul Shi= rsat <rahul.shirsat@en= terprisedb.com> wrote:
Yes Akshay.

I think we should go ahead adding this approach in the pg= admin faqs, we would not be fixing this in our code as we don't know wh= en Apple would fix its issue.

O= r, add these configs in the config_distro.py for Mac packages.
-- Ashesh=C2=A0

On Thu, Nov 26, 2020 at 11:27 AM Akshay Joshi <akshay.joshi@enterprisedb.= com> wrote:
Hi=C2=A0Rahul

On Wed, Nov 25, 2020 at 4= :07 PM Rahul Shirsat <rahul.shirsat@enterprisedb.com> wrote:
Hi Dave,
Due to SameSite security issues in Safari=C2=A0Browser, s= ome of the pgadmin4 functionality isn't working (mostly the new tab fun= ctionality).

The affected Safari Browser versions = (marked in red) currently tested upon are:
  1. v11.1.2
    2. v12.1
  2. v12.= 1.1
  3. 13.1
  4. 14.0.1
Since v12, Safari have done some s= ecurity fixes, due to which this issue has occurred. Strangely, the issue i= s not reproducible on v13, but reproducible=C2=A0on its successor i.e. v14<= /div>

Possible solutions could be:
    <= li>Reporting this to Safari & raising an RM for tracking purposes.=
  1. Suggesting Safari users to make below changes in config.py or config_di= stro for the work around:
SESSION_COOKIE_SAMESITE =3D None=
SESSION_COOKIE_SECURE =3D True

(As we aren't going th= rough any cross-site cookie transfer, this can be a handy option - but stil= l risky..)

I would suggest going with the 1st opti= on or combination of both, but with caution.
<= br>
=C2=A0 =C2=A0In my opinion, we should go with both the option= s, as we have added the above settings for security purposes.

<= div>--
Rahul Shirsat
Software Engineer=C2=A0|=C2=A0EnterpriseDB=C2=A0Corporation.=


--
Thank= s & Regards
Akshay Joshi
pgAdmin Hacker | Principal Softw= are Architect
EDB Po= stgres
Mobile: +91 976-788-8246



--
Rahul Shirsat
Software Engineer=C2= =A0|=C2=A0EnterpriseDB=C2=A0Corporation.
--00000000000041c6b905b4fea217--