Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1kk9oR-0005yE-7N for pgadmin-hackers@arkaria.postgresql.org; Tue, 01 Dec 2020 17:51:39 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.92) (envelope-from ) id 1kk9oO-00006W-Ne for pgadmin-hackers@arkaria.postgresql.org; Tue, 01 Dec 2020 17:51:36 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1kk9oO-0008SN-BW for pgadmin-hackers@lists.postgresql.org; Tue, 01 Dec 2020 17:51:36 +0000 Received: from mail-qk1-x734.google.com ([2607:f8b0:4864:20::734]) by magus.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.92) (envelope-from ) id 1kk9oK-0000nP-9Y for pgadmin-hackers@postgresql.org; Tue, 01 Dec 2020 17:51:35 +0000 Received: by mail-qk1-x734.google.com with SMTP id y197so2117972qkb.7 for ; Tue, 01 Dec 2020 09:51:31 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=enterprisedb-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=al33kkqV6GgK7PCRcirns6VfiG+CCwVmKE6qKAe5WPs=; b=KiLBK48xUlftQXvge6Md8W+Cuck7bRs8Lx2grvFBeJm1DqwBnqCb8sX20Co6ImEwkZ 9ZNCpMgfNRfahSIzfscgcChcXQzWkrLy9zoRW88AqfAROw2svCf0sjLpQrTDNCQFwQ51 4PJLLy/n7Xuj2z27RaNp8BsF/khqgpoRWjjoahVNC/ZRHKvPP23TBWEcsoc4OaLhDV3w UCvRrwnY2KwUL/dEu5JKTIpPTrLhans0ikUJQzm7DFQ4oVtasfAyShJMTJJTtq6zFg8J 1VwvlOeVLJwUnd41ILeXAQXSMgsNcowRlpWWUUdSGFK55x92sDMHLSviVA3AM25HYIm1 Q5dg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=al33kkqV6GgK7PCRcirns6VfiG+CCwVmKE6qKAe5WPs=; b=f0H9ekR0tfXSt6rTnMkj0J+rguNq0C7yY+toPRR2NQhwKxo0HTgwm44TziCQeZbbcu wReAF5JbMVHqmpXYFZ7kp4Pd26nXv8zMu+NtiP5e013OPp/lDKbksRAsDxofrCqggl2B 3mFs1+hvd2+LGSS8pvgIaXO2ba6q+BCzej8mwetVHQuu3uAhoe1H4Xl3CbRduaNWfp8U owpLn+2ij1d5rA6z+pk29N+gGN/FgUmACy0Aw2wTLC7SSN9iXgQRGF3V/Okz6OyNGwYf tp/p4FmW1yxEqdj4ub6AeYX1cXteMNJE6mRs8Yv11eGfqncKyX/jSwZgtsvf9+2sy8gR hyDA== X-Gm-Message-State: AOAM5305dzLqZc5b6fTp+8pu4Ks7/NjxpBcAqRm5FtfFudBgrFAksSZS znQBHgoVzHWZTKD2ZQIPE+NwjarqYrnT8lEL460iqkn8ZMJNg0euziNdISCPoZzD5dEI7Ws8P2G u5nVSVg5MGYPmZHOEIF/Js2mddVSwmf6s/QMKqR31ub/Dbhl5V8VPN06WRwCxrPup5e8uisrXxc Dy3afIjQ2ulyf7DUbyiAkaCm9sb67cUjpBKf8MzRZ+n290GBGxr0kI1bfnCfQtOE7ZJpGZ9J4= X-Google-Smtp-Source: ABdhPJxyVi534rhGqWAOL8b1JbCpNwOQ/v0uPJyZhx63lX0l0h6+cXJeWnDeFJIqC8s7GqNdxKgNBY2KOsjUIHfKLy0= X-Received: by 2002:a37:bac7:: with SMTP id k190mr4124488qkf.464.1606845089822; Tue, 01 Dec 2020 09:51:29 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: From: Rahul Shirsat Date: Tue, 1 Dec 2020 23:20:53 +0530 Message-ID: Subject: Re: SameSite issues in Safari Browser (reference #RM5975) To: Dave Page Cc: pgadmin-hackers Content-Type: multipart/alternative; boundary="000000000000c9db1605b56ac6de" X-CLOUD-SEC-AV-Info: enterprisedb,google_mail,monitor X-CLOUD-SEC-AV-Sent: true X-Gm-Spam: 0 X-Gm-Phishy: 0 List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Precedence: bulk --000000000000c9db1605b56ac6de Content-Type: text/plain; charset="UTF-8" Hi Dave, Could you please add below FAQ point for SameSite Safari issue: Question : When I set new tab settings for query tool or schema-diff, I get "Connection to server lost" or "CSRF tokens do not match" on Safari versions >= 12 Answer:

This has been seen mostly on Safari browser versions >= 12. It's reported that from v12 of CFNetwork/Safari/Webkit erroneously handle "Samesite=none" as the equivalent of "Samesite=strict". It means, Safari recognizes the SameSite option starting with version 12, but their implementation has a bug: It interprets invalid values as if SameSite=Strict had been specified, and for it only Strict and Lax are valid values, as the older specification did not yet specify None

To solve this issue, we need to override the SameSite security settings, for this, create a file called config_system.py in the web/ directory of the installation, alongside the existing config.py. This file can be used to override any of the settings in config.py (which shouldn't be edited). The config_system.py should have the below code:

import sys

# Targeting only macOS
if sys.platform.startswith('darwin'):
    SESSION_COOKIE_SAMESITE = None
    SESSION_COOKIE_SECURE = True
Do suggest or add any points if I am missing them. Also, let me know once this is done, So that I will close the ticket. -- *Rahul Shirsat* Senior Software Engineer | EnterpriseDB Corporation. On Mon, Nov 30, 2020 at 7:30 PM Rahul Shirsat < rahul.shirsat@enterprisedb.com> wrote: > This was the part of our internal quality testing, where it got > encountered. Currently, none of the users have complained about this on > their specific browser versions. > > On Mon, Nov 30, 2020 at 5:12 PM Dave Page wrote: > >> Hi >> >> On Mon, Nov 30, 2020 at 7:12 AM Rahul Shirsat < >> rahul.shirsat@enterprisedb.com> wrote: >> >>> Dave, >>> >>> There are issues discussed on Apple forums, check this out: >>> >>> https://developer.apple.com/forums/thread/129064 - The latest comment >>> by the user here is one month ago, meaning the issue is still not fixed yet. >>> https://developer.apple.com/forums/thread/658688 - Users facing this >>> issue in v13.x >>> >>> Even webkit has confirmed about this issue : >>> https://bugs.webkit.org/show_bug.cgi?id=198181 - Users facing this >>> issue in v12.x >>> >> >> In that case, I think the answer (for now at least) is an FAQ, >> referencing those issues and explaining how to resolve the issue using >> config_system.py or by using a different browser. >> >> Have we actually seen this issue in wild? >> >> >> >>> >>> On Thu, Nov 26, 2020 at 6:57 PM Dave Page wrote: >>> >>>> Hi >>>> >>>> On Wed, Nov 25, 2020 at 10:37 AM Rahul Shirsat < >>>> rahul.shirsat@enterprisedb.com> wrote: >>>> >>>>> Hi Dave, >>>>> >>>>> Due to SameSite security issues in Safari Browser, some of the >>>>> pgadmin4 functionality isn't working (mostly the new tab functionality). >>>>> >>>>> The affected Safari Browser versions (marked in red) currently tested >>>>> upon are: >>>>> >>>>> 1. v11.1.2 >>>>> 2. v12.1 >>>>> 3. v12.1.1 >>>>> 4. 13.1 >>>>> 5. 14.0.1 >>>>> >>>>> Since v12, Safari have done some security fixes, due to which this >>>>> issue has occurred. Strangely, the issue is not reproducible on v13, but >>>>> reproducible on its successor i.e. v14 >>>>> >>>>> Possible solutions could be: >>>>> >>>>> 1. Reporting this to Safari & raising an RM for tracking purposes. >>>>> 2. Suggesting Safari users to make below changes in config.py or >>>>> config_distro for the work around: >>>>> >>>>> *SESSION_COOKIE_SAMESITE = None* >>>>> >>>>> *SESSION_COOKIE_SECURE = True* >>>>> (As we aren't going through any cross-site cookie transfer, this can >>>>> be a handy option - but still risky..) >>>>> >>>>> I would suggest going with the 1st option or combination of both, but >>>>> with caution. >>>>> >>>> >>>> Others must have come across this issue already. Is it a known bug, >>>> documented somewhere (ideally on apple.com)? >>>> >>>> -- >>>> Dave Page >>>> Blog: http://pgsnake.blogspot.com >>>> Twitter: @pgsnake >>>> >>>> EDB: http://www.enterprisedb.com >>>> >>>> >>> >>> -- >>> *Rahul Shirsat* >>> Software Engineer | EnterpriseDB Corporation. >>> >> >> >> -- >> Dave Page >> Blog: http://pgsnake.blogspot.com >> Twitter: @pgsnake >> >> EDB: http://www.enterprisedb.com >> >> > > -- > *Rahul Shirsat* > Software Engineer | EnterpriseDB Corporation. > -- *Rahul Shirsat* Software Engineer | EnterpriseDB Corporation. --000000000000c9db1605b56ac6de Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hi Dave,

Could you please ad= d below FAQ point for SameSite Safari issue:

Quest= ion :=C2=A0
When I set new tab settings for query tool or schema-= diff, I get "Connection to server lost" or "CSRF tokens do n= ot match" on Safari versions >=3D 12

A= nswer:
<p>This has been seen mostly on Safari browser versi= ons >=3D 12. It's reported that from v12 of CFNetwork/Safari/Webkit = erroneously handle "Samesite=3Dnone" as the equivalent of "S= amesite=3Dstrict". It means, Safari recognizes the SameSite option sta= rting with version 12, but their implementation has a bug: It interprets in= valid values as if SameSite=3DStrict had been specified, and for it only St= rict and Lax are valid values, as the older specification did not yet speci= fy None</p>

<p>To solve this issue, we need to override = the SameSite security settings, for this, create a file called config_syste= m.py in the web/ directory of the installation, alongside the existing conf= ig.py. This file can be used to override any of the settings in config.py (= which shouldn't be edited). The config_system.py should have the below = code:</p>

<pre>
import sys

# Targeting only ma= cOS
if sys.platform.startswith('darwin'):
=C2=A0 =C2=A0 SESSI= ON_COOKIE_SAMESITE =3D None
=C2=A0 =C2=A0 SESSION_COOKIE_SECURE =3D True=
</pre>

Do suggest or add any points if I= am missing them.

Also, let me know once this is d= one, So that I will close the ticket.

--
Rahul Shirsat
Senior Software Engineer=C2=A0|=C2=A0EnterpriseDB=C2=A0Corp= oration.

On Mon, Nov 30, 20= 20 at 7:30 PM Rahul Shirsat <rahul.shirsat@enterprisedb.com> wrote:
This was the part of = our internal quality testing, where it got encountered. Currently, none of = the users have complained about this on their specific browser versions.
On = Mon, Nov 30, 2020 at 5:12 PM Dave Page <dpage@pgadmin.org> wrote:
Hi

<= div class=3D"gmail_quote">
On Mon, Nov= 30, 2020 at 7:12 AM Rahul Shirsat <rahul.shirsat@enterprisedb.com> wrot= e:
Dave,

There are issues discussed on Apple forums, ch= eck this out:

https://developer.apple.com/foru= ms/thread/129064=C2=A0- The latest comment by the user here is one mont= h ago, meaning the issue is still not fixed yet.
https://= developer.apple.com/forums/thread/658688=C2=A0- Users facing this issue= in v13.x=C2=A0

Even webkit has confirmed about th= is issue :=C2=A0https://bugs.webkit.org/show_bug.cgi?id=3D198181=C2= =A0- Users facing this issue in v12.x

In that case, I think the answer (for now at least) is an FAQ, refer= encing those issues and explaining how to resolve the issue using config_sy= stem.py or by using a different browser.

Have we a= ctually seen this issue in wild?

=C2=A0

On Thu, Nov 26, 2020 at 6:57 PM Dave= Page <dpage@pgad= min.org> wrote:
Hi

On Wed, Nov 25, 2020 at 10:37 AM= Rahul Shirsat <rahul.shirsat@enterprisedb.com> wrote:
Hi Dave,
Due to SameSite security issues in Safari=C2=A0Browser, some of= the pgadmin4 functionality isn't working (mostly the new tab functiona= lity).

The affected Safari Browser versions (marke= d in red) currently tested upon are:
  1. v11.1.2
  2. v12.1
  3. v12.1.1
  4. 13.1
  5. 14.0.1
Since v12, Safari have done some security= fixes, due to which this issue has occurred. Strangely, the issue is not r= eproducible on v13, but reproducible=C2=A0on its successor i.e. v14

Possible solutions could be:
  1. Repo= rting this to Safari & raising an RM for tracking purposes.
  2. Sug= gesting Safari users to make below changes in config.py or config_distro fo= r the work around:
SESSION_COOKIE_SAMESITE =3D None
= SESSION_COOKIE_SECURE =3D True

(As we aren't going through a= ny cross-site cookie transfer, this can be a handy option - but still risky= ..)

I would suggest going with the 1st option or c= ombination of both, but with caution.

Others must have come across this issue already. Is it a known bug, = documented somewhere (ideally on apple.com)?
=C2=A0
--


--
Rahul Shirsat
Software Engineer=C2= =A0|=C2=A0EnterpriseDB=C2=A0Corporation.


--


--
Rahul Shirsat
Software Engineer=C2= =A0|=C2=A0EnterpriseDB=C2=A0Corporation.


--
Rahul Shirsat
Software Engineer=C2=A0|=C2=A0EnterpriseDB=C2=A0Corporation.=
--000000000000c9db1605b56ac6de--