Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1khsBO-0003Fd-4b for pgadmin-hackers@arkaria.postgresql.org; Wed, 25 Nov 2020 10:37:54 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.92) (envelope-from ) id 1khsBN-0006aR-2g for pgadmin-hackers@arkaria.postgresql.org; Wed, 25 Nov 2020 10:37:53 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1khsBM-0006aJ-PS for pgadmin-hackers@lists.postgresql.org; Wed, 25 Nov 2020 10:37:52 +0000 Received: from mail-qk1-x72f.google.com ([2607:f8b0:4864:20::72f]) by makus.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.92) (envelope-from ) id 1khsBJ-0003Fk-WE for pgadmin-hackers@postgresql.org; Wed, 25 Nov 2020 10:37:51 +0000 Received: by mail-qk1-x72f.google.com with SMTP id l2so3578575qkf.0 for ; Wed, 25 Nov 2020 02:37:49 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=enterprisedb-com.20150623.gappssmtp.com; s=20150623; h=mime-version:from:date:message-id:subject:to; bh=A67kaCJymS3RagAqXGRbG1/Jr2oht0KeFET9Rnd/lvk=; b=mhWW5OjrGx4+LZh/JUEEFJT/241SaRRZmVHvTkh2e95GyuFe0E7WuYIyCqhs6AJcvz UFnTuO886iKGjoODZeVfNeE9C8/VKu1VwdhYjLKTK5T0bCTCS0KF1XRvieQXfTln905G X71HHU1u3KcHNWZkKvlu5k9z42hTJ1h3lucXJvPpvL+cxoHl4k2ZdN0w8Ap4BBC7++85 0a+G9snyqYo3amguukoqZMrkEW3Uj4omZ2olNFGI6J+oBU/W6erinAevZ/8B6inE+UI4 MvZIHQyKNccBCWMdxK3zhr6IqZFo8355jvj0fZUPmGSWaWp+0qWK6yJNCCKU2PtyzI6i cIpQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=A67kaCJymS3RagAqXGRbG1/Jr2oht0KeFET9Rnd/lvk=; b=dgfFgEgG+SQh5NyffxiYxoUOsDJIUnI99gmLvCCVbTSRvJhEQwy1YfPrlSxp+w37YH QxLMWK8/ykinFSWjkTmPfLluHW6aDfURtdXkwT+eQtbVIdEN2RZxJT4pqL9a4KnwN131 1VoIaydC4h3Uvc7ZBo4YW4lnpZfa11RZIlbjbQf0C8TKlG3E1AtgNFLoy4cjwB5+TIeJ zlwxEowYtW/JuDdHX/stpXujxTpwMIzPQj72uibAXgbOsWnzgqVlD2bltNivMbcFrw8p CcF4P+J690xmEcRFzyS3LGLKH71TLDssw7M+uWltre1BrLnN0ZFJkms2hDCI6amDvAil KESw== X-Gm-Message-State: AOAM532d7T/e2Uj/n4svuEwcGCRvzaULjEBY/gs5CLRDx1YNNanbqy1n VH3QvCQmhN2ujswjJLyUM8fRDvw6RnJHviKA2OEC29plkXQdjDgWr5v+x1i8WPCp6y7KPLC6R+l dTjds6nuaoDC6wnjfZ+TUbYTPgoMcGHWivNKCHqmjWNSRDNryJ4RltVqbMwCu1zHMpLk26J/f6m BxOQmAeqkqVpxrUV1FX25F9KBziaOfQdxBAX5D6jGfv+g/NSy7E57gl/SrKct1sb3FuhbK6oA= X-Google-Smtp-Source: ABdhPJwmyBCztdqTzcinnc6Sc2+blueX7mKxhFZM9jbAaRnXiBKmonqRLRoB5bY9sN3fTtqXTmwo6xs02dSY0CX9tV4= X-Received: by 2002:a05:620a:886:: with SMTP id b6mr2389605qka.427.1606300668203; Wed, 25 Nov 2020 02:37:48 -0800 (PST) MIME-Version: 1.0 From: Rahul Shirsat Date: Wed, 25 Nov 2020 16:07:12 +0530 Message-ID: Subject: SameSite issues in Safari Browser (reference #RM5975) To: pgadmin-hackers Content-Type: multipart/alternative; boundary="000000000000bb36af05b4ec04f4" X-CLOUD-SEC-AV-Info: enterprisedb,google_mail,monitor X-CLOUD-SEC-AV-Sent: true X-Gm-Spam: 0 X-Gm-Phishy: 0 List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Precedence: bulk --000000000000bb36af05b4ec04f4 Content-Type: text/plain; charset="UTF-8" Hi Dave, Due to SameSite security issues in Safari Browser, some of the pgadmin4 functionality isn't working (mostly the new tab functionality). The affected Safari Browser versions (marked in red) currently tested upon are: 1. v11.1.2 2. v12.1 3. v12.1.1 4. 13.1 5. 14.0.1 Since v12, Safari have done some security fixes, due to which this issue has occurred. Strangely, the issue is not reproducible on v13, but reproducible on its successor i.e. v14 Possible solutions could be: 1. Reporting this to Safari & raising an RM for tracking purposes. 2. Suggesting Safari users to make below changes in config.py or config_distro for the work around: *SESSION_COOKIE_SAMESITE = None* *SESSION_COOKIE_SECURE = True* (As we aren't going through any cross-site cookie transfer, this can be a handy option - but still risky..) I would suggest going with the 1st option or combination of both, but with caution. -- *Rahul Shirsat* Software Engineer | EnterpriseDB Corporation. --000000000000bb36af05b4ec04f4 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hi Dave,

Due to SameSite security issue= s in Safari=C2=A0Browser, some of the pgadmin4 functionality isn't work= ing (mostly the new tab functionality).

The affect= ed Safari Browser versions (marked in red) currently tested upon are:
=
  1. v11.1.2
  2. v12.1
  3. <= font color=3D"#ff0000">v12.1.1
  4. 13.1<= /font>
  5. 14.0.1
Since v1= 2, Safari have done some security fixes, due to which this issue has occurr= ed. Strangely, the issue is not reproducible on v13, but reproducible=C2=A0= on its successor i.e. v14

Possible solutions= could be:
  1. Reporting this to Safari & raising an RM f= or tracking purposes.
  2. Suggesting Safari users to make below changes= in config.py or config_distro for the work around:
SESSION_COOKIE_S= AMESITE =3D None
SESSION_COOKIE_SECURE =3D True

(As we= aren't going through any cross-site cookie transfer, this can be a han= dy option - but still risky..)

I would suggest goi= ng with the 1st option or combination of both, but with caution.

<= div>
--
= Rahul Shirsat
Software Engineer=C2=A0|=C2=A0EnterpriseDB=C2=A0Corporation.
--000000000000bb36af05b4ec04f4--