Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1kkkO9-00041B-S6 for pgadmin-hackers@arkaria.postgresql.org; Thu, 03 Dec 2020 08:54:58 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.92) (envelope-from ) id 1kkkO8-0002yJ-PB for pgadmin-hackers@arkaria.postgresql.org; Thu, 03 Dec 2020 08:54:56 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1kkkO8-0002yC-Ea for pgadmin-hackers@lists.postgresql.org; Thu, 03 Dec 2020 08:54:56 +0000 Received: from mail-qv1-xf35.google.com ([2607:f8b0:4864:20::f35]) by magus.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.92) (envelope-from ) id 1kkkO4-0004OL-Sx for pgadmin-hackers@postgresql.org; Thu, 03 Dec 2020 08:54:55 +0000 Received: by mail-qv1-xf35.google.com with SMTP id n9so588165qvp.5 for ; Thu, 03 Dec 2020 00:54:52 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=enterprisedb-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=MYF2JcQ+8Nxvbrq8ZOcjjJoeGQhLGO6IhX1szs3V0js=; b=WI/ERmrA5VfRx1jqomAR+be7pfhcGb5oeIaa+nXrberb0ZKZLVViWg254OYKhVJzvx LaCEI6ryXWtNw32HZL9no0ZUoncM5TY9+G4XdT7YhYLfoql73eNgIanTk1JsgmVmz5uu Jo10bMQFx//acDYI6RTMrkvZ25in+DmUwOsUsdfjYWzmX2wqhvhUcSXj2K/S3ZCqbMkp jfBlBxodzEEdZVE6EHTfG8sWfLrBINdVoGPry9zQYQGMJUh2WkAx/JciFyyFpekVhrMs HbFM8PLxbdR0dwslUw81nVR5bUOimFE2f+7INpgnyJUQyBotxbgHJq0vKdpTgoLb3/pF cFIg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=MYF2JcQ+8Nxvbrq8ZOcjjJoeGQhLGO6IhX1szs3V0js=; b=aIuN8SFIVz8pQ6vuuyuAuTMBzenCR4soXr1sp4BfeduW1YHhpYpgctPM9Y/E5vxfgi QVhENjnkjKfcE3B8kQEdy2T8utT86QqXmqRRBWe4PUPQoJZ/Xl6QBuZPDygT+vYJoDwm qFdxMMh0zRGHkiLXCT5gjmyMax0sAjZvF2vMSx1aHgq1jZLMWy8n15n+B9rbm7GsZkOp kopykvTDwYhhQr5ivoxq6YoSNSG1nhP8bgFh+Qfj/6brDxuHATu2768dx253N0wwE5Yt 3FLYdI4SzSb4uVMElgbmcmPa8x5VK3vFqVJPYgi1TdMd97m9aGC7DRkyUCrDnDYZFufm vnSQ== X-Gm-Message-State: AOAM531YsNpEdeh6OytNiSTK5OJmbiCJRqbPdr/6sKjaFNeCiE6d7fvD iUX1IG4Vg3SBcRtD2VUJRqvuy0M6F/3tMhQFR11XM6YbdJe0LeFwVs4tWIq8hkW6T+PrkYA06+t NXZzVaJijkJi64KY06hDktgieLNL9aABDop6+1s6Nc8wyi2/J/gLDIHeNmHnMZjpMwA2HhRBgOo vZAiWfozdF6GxLkPLr4KM7s1ex/FPWb/WqMpZ6OYm4Nc2cQTeeh6ID9cO3Ew== X-Google-Smtp-Source: ABdhPJzoQZcj8QqshY3HxVQJ7dUG0qD4Krwc75YjUf0erlgJMHw7folFNPiAQ8WZ22LO7oMg99DdI5nKbvdadr6iG10= X-Received: by 2002:a05:6214:1110:: with SMTP id e16mr2222561qvs.57.1606985690652; Thu, 03 Dec 2020 00:54:50 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: From: Rahul Shirsat Date: Thu, 3 Dec 2020 14:24:14 +0530 Message-ID: Subject: Re: SameSite issues in Safari Browser (reference #RM5975) To: Dave Page Cc: pgadmin-hackers Content-Type: multipart/alternative; boundary="0000000000004036b405b58b837e" X-CLOUD-SEC-AV-Info: enterprisedb,google_mail,monitor X-CLOUD-SEC-AV-Sent: true X-Gm-Spam: 0 X-Gm-Phishy: 0 List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Precedence: bulk --0000000000004036b405b58b837e Content-Type: text/plain; charset="UTF-8" Dave, Please find below corrected faq details. Category : Troubleshooting Question : When I set new tab settings for query tool or schema-diff, I get "Connection to server lost" or "CSRF tokens do not match" on Safari versions >= 12 Answer:

This has been seen mostly on Safari browser versions >= 12. It's reported that from v12 of CFNetwork/Safari/Webkit erroneously handle "Samesite=none" as the equivalent of "Samesite=strict". It means, Safari recognizes the SameSite option starting with version 12, but their implementation has a bug: It interprets invalid values as if SameSite=Strict had been specified, and for it only Strict and Lax are valid values, as the older specification did not yet specify None

To solve this issue, we need to override the SameSite security settings, for this, create a file called config_system.py (for location to create the file, refer The config.py file). This file can be used to override any of the settings in config.py (which shouldn't be edited). The config_system.py should have the below code:

    SESSION_COOKIE_SAMESITE = None
    SESSION_COOKIE_SECURE = True

Note that these changes are not recommended, and we highly recommend users to use a different browser until the issue gets resolved from Apple. Removed the OS specific condition to make it generic for all distributions. Added a warning note at the last of the faq. On Wed, Dec 2, 2020 at 4:33 PM Dave Page wrote: > Hi > > On Tue, Dec 1, 2020 at 5:51 PM Rahul Shirsat < > rahul.shirsat@enterprisedb.com> wrote: > >> Hi Dave, >> >> Could you please add below FAQ point for SameSite Safari issue: >> >> Question : >> When I set new tab settings for query tool or schema-diff, I get >> "Connection to server lost" or "CSRF tokens do not match" on Safari >> versions >= 12 >> >> Answer: >>

This has been seen mostly on Safari browser versions >= 12. It's >> reported that from v12 of CFNetwork/Safari/Webkit erroneously handle >> "Samesite=none" as the equivalent of "Samesite=strict". It means, Safari >> recognizes the SameSite option starting with version 12, but their >> implementation has a bug: It interprets invalid values as if >> SameSite=Strict had been specified, and for it only Strict and Lax are >> valid values, as the older specification did not yet specify None

>> >>

To solve this issue, we need to override the SameSite security >> settings, for this, create a file called config_system.py in the web/ >> directory of the installation, alongside the existing config.py. This file >> can be used to override any of the settings in config.py (which shouldn't >> be edited). The config_system.py should have the below code:

>> > > We could certainly add something like that, though, config_system.py > doesn't go alongside config.py so that part of the text needs fixing. > > >> >> 
>> import sys
>>
>> # Targeting only macOS
>> if sys.platform.startswith('darwin'):
>>     SESSION_COOKIE_SAMESITE = None
>>     SESSION_COOKIE_SECURE = True
>>
>> >> Do suggest or add any points if I am missing them. >> > > And that is not going to work in Server mode, only Desktop. > > > >> >> Also, let me know once this is done, So that I will close the ticket. >> >> -- >> *Rahul Shirsat* >> Senior Software Engineer | EnterpriseDB Corporation. >> >> On Mon, Nov 30, 2020 at 7:30 PM Rahul Shirsat < >> rahul.shirsat@enterprisedb.com> wrote: >> >>> This was the part of our internal quality testing, where it got >>> encountered. Currently, none of the users have complained about this on >>> their specific browser versions. >>> >>> On Mon, Nov 30, 2020 at 5:12 PM Dave Page wrote: >>> >>>> Hi >>>> >>>> On Mon, Nov 30, 2020 at 7:12 AM Rahul Shirsat < >>>> rahul.shirsat@enterprisedb.com> wrote: >>>> >>>>> Dave, >>>>> >>>>> There are issues discussed on Apple forums, check this out: >>>>> >>>>> https://developer.apple.com/forums/thread/129064 - The latest comment >>>>> by the user here is one month ago, meaning the issue is still not fixed yet. >>>>> https://developer.apple.com/forums/thread/658688 - Users facing this >>>>> issue in v13.x >>>>> >>>>> Even webkit has confirmed about this issue : >>>>> https://bugs.webkit.org/show_bug.cgi?id=198181 - Users facing this >>>>> issue in v12.x >>>>> >>>> >>>> In that case, I think the answer (for now at least) is an FAQ, >>>> referencing those issues and explaining how to resolve the issue using >>>> config_system.py or by using a different browser. >>>> >>>> Have we actually seen this issue in wild? >>>> >>>> >>>> >>>>> >>>>> On Thu, Nov 26, 2020 at 6:57 PM Dave Page wrote: >>>>> >>>>>> Hi >>>>>> >>>>>> On Wed, Nov 25, 2020 at 10:37 AM Rahul Shirsat < >>>>>> rahul.shirsat@enterprisedb.com> wrote: >>>>>> >>>>>>> Hi Dave, >>>>>>> >>>>>>> Due to SameSite security issues in Safari Browser, some of the >>>>>>> pgadmin4 functionality isn't working (mostly the new tab functionality). >>>>>>> >>>>>>> The affected Safari Browser versions (marked in red) currently >>>>>>> tested upon are: >>>>>>> >>>>>>> 1. v11.1.2 >>>>>>> 2. v12.1 >>>>>>> 3. v12.1.1 >>>>>>> 4. 13.1 >>>>>>> 5. 14.0.1 >>>>>>> >>>>>>> Since v12, Safari have done some security fixes, due to which this >>>>>>> issue has occurred. Strangely, the issue is not reproducible on v13, but >>>>>>> reproducible on its successor i.e. v14 >>>>>>> >>>>>>> Possible solutions could be: >>>>>>> >>>>>>> 1. Reporting this to Safari & raising an RM for tracking >>>>>>> purposes. >>>>>>> 2. Suggesting Safari users to make below changes in config.py or >>>>>>> config_distro for the work around: >>>>>>> >>>>>>> *SESSION_COOKIE_SAMESITE = None* >>>>>>> >>>>>>> *SESSION_COOKIE_SECURE = True* >>>>>>> (As we aren't going through any cross-site cookie transfer, this can >>>>>>> be a handy option - but still risky..) >>>>>>> >>>>>>> I would suggest going with the 1st option or combination of both, >>>>>>> but with caution. >>>>>>> >>>>>> >>>>>> Others must have come across this issue already. Is it a known bug, >>>>>> documented somewhere (ideally on apple.com)? >>>>>> >>>>>> -- >>>>>> Dave Page >>>>>> Blog: http://pgsnake.blogspot.com >>>>>> Twitter: @pgsnake >>>>>> >>>>>> EDB: http://www.enterprisedb.com >>>>>> >>>>>> >>>>> >>>>> -- >>>>> *Rahul Shirsat* >>>>> Software Engineer | EnterpriseDB Corporation. >>>>> >>>> >>>> >>>> -- >>>> Dave Page >>>> Blog: http://pgsnake.blogspot.com >>>> Twitter: @pgsnake >>>> >>>> EDB: http://www.enterprisedb.com >>>> >>>> >>> >>> -- >>> *Rahul Shirsat* >>> Software Engineer | EnterpriseDB Corporation. >>> >> >> >> -- >> *Rahul Shirsat* >> Software Engineer | EnterpriseDB Corporation. >> > > > -- > Dave Page > Blog: http://pgsnake.blogspot.com > Twitter: @pgsnake > > EDB: http://www.enterprisedb.com > > -- *Rahul Shirsat* Software Engineer | EnterpriseDB Corporation. --0000000000004036b405b58b837e Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Dave,

Please find below corrected faq d= etails.

Category : Troubleshooting

Question :=C2=A0
When I set new tab settings for que= ry tool or schema-diff, I get "Connection to server lost" or &quo= t;CSRF tokens do not match" on Safari versions >=3D 12

Answer:
<p>This has been seen mostly on Sa= fari browser versions >=3D 12. It's reported that from v12 of CFNetw= ork/Safari/Webkit erroneously handle "Samesite=3Dnone" as the equ= ivalent of "Samesite=3Dstrict". It means, Safari recognizes the S= ameSite option starting with version 12, but their implementation has a bug= : It interprets invalid values as if SameSite=3DStrict had been specified, = and for it only Strict and Lax are valid values, as the older specification= did not yet specify None</p>

<p>To solve this issue, we= need to override the SameSite security settings, for this, create a file c= alled config_system.py (for location to create the file, refer <a href= =3D"https://www.pgadmin.org/docs/pgadmin4/development/config_py.html= ">The config.py file</a>). This file can be used to overr= ide any of the settings in config.py (which shouldn't be edited). The c= onfig_system.py should have the below code:</p>

<pre>=C2=A0 =C2=A0 SESSION_COOKIE_SAMESITE =3D None
=C2=A0 =C2=A0 SESSION_CO= OKIE_SECURE =3D True
</pre>
<p><i>Note that these c= hanges are not recommended, and we highly recommend users to use a differen= t browser until the issue gets resolved from Apple.</i>

Removed the OS specific condition to make it generic = for all distributions.
Added a warning note at the last of the fa= q.

On Wed, Dec 2, 2020 at 4:33 PM Dave Page <dpage@pgadmin.org> wrote:
Hi

<= div class=3D"gmail_quote">
On Tue, Dec= 1, 2020 at 5:51 PM Rahul Shirsat <rahul.shirsat@enterprisedb.com> wrote= :
Hi Dave,

Could you please add below FAQ po= int for SameSite Safari issue:

Question :=C2=A0
When I set new tab settings for query tool or schema-diff, I get &q= uot;Connection to server lost" or "CSRF tokens do not match"= on Safari versions >=3D 12

Answer:
<p>This has been seen mostly on Safari browser versions >=3D 12= . It's reported that from v12 of CFNetwork/Safari/Webkit erroneously ha= ndle "Samesite=3Dnone" as the equivalent of "Samesite=3Dstri= ct". It means, Safari recognizes the SameSite option starting with ver= sion 12, but their implementation has a bug: It interprets invalid values a= s if SameSite=3DStrict had been specified, and for it only Strict and Lax a= re valid values, as the older specification did not yet specify None</p&= gt;

<p>To solve this issue, we need to override the SameSite s= ecurity settings, for this, create a file called config_system.py in the we= b/ directory of the installation, alongside the existing config.py. This fi= le can be used to override any of the settings in config.py (which shouldn&= #39;t be edited). The config_system.py should have the below code:</p>= ;

We could certainly add so= mething like that, though, config_system.py doesn't go alongside config= .py so that part of the text needs fixing.
=C2=A0

<pre&g= t;
import sys

# Targeting only macOS
if sys.platform.startswit= h('darwin'):
=C2=A0 =C2=A0 SESSION_COOKIE_SAMESITE =3D None
= =C2=A0 =C2=A0 SESSION_COOKIE_SECURE =3D True
</pre>

=
Do suggest or add any points if I am missing them.

And that is not going to work in Server mode= , only Desktop.

=C2=A0

Also, let = me know once this is done, So that I will close the ticket.

<= /div>
--
Rahul Shirsat
Senior Software Engineer=C2=A0|=C2=A0EnterpriseDB=C2=A0Corpora= tion.

On Mon, Nov 30, 2020= at 7:30 PM Rahul Shirsat <rahul.shirsat@enterprisedb.com> wrote:
This = was the part of our internal quality testing, where it got encountered. Cur= rently, none of the users have complained about this on their specific brow= ser versions.

On Mon, Nov 30, 2020 at 5:12 PM Dave Page <dpage@pgadmin.org> wrote:
=
Hi

On Mon, Nov 30, 2020 at 7:12 AM Rahul Shirsat <rahul.shirsat@enterprisedb.= com> wrote:
Dave,

There are issues discussed on = Apple forums, check this out:

https://develope= r.apple.com/forums/thread/129064=C2=A0- The latest comment by the user = here is one month ago, meaning the issue is still not fixed yet.
<= div>https://developer.apple.com/forums/thread/658688=C2=A0- Users f= acing this issue in v13.x=C2=A0

Even webkit has co= nfirmed about this issue :=C2=A0https://bugs.webkit.org/show_bug.cgi?id= =3D198181=C2=A0- Users facing this issue in v12.x

In that case, I think the answer (for now at least) = is an FAQ, referencing those issues and explaining how to resolve the issue= using config_system.py or by using a different browser.

Have we actually seen this issue in wild?

= =C2=A0

On Thu, Nov 26, 202= 0 at 6:57 PM Dave Page <dpage@pgadmin.org> wrote:
Hi

On Wed, Nov 25,= 2020 at 10:37 AM Rahul Shirsat <rahul.shirsat@enterprisedb.com> wrote:<= br>
Hi Dave,

Due to SameSite security issues in Safari=C2= =A0Browser, some of the pgadmin4 functionality isn't working (mostly th= e new tab functionality).

The affected Safari Brow= ser versions (marked in red) currently tested upon are:
  1. v= 11.1.2
  2. v12.1
  3. v12.1.1
  4. 13.1
    5. 14.0.1
Since v12, Safari have= done some security fixes, due to which this issue has occurred. Strangely,= the issue is not reproducible on v13, but reproducible=C2=A0on its success= or i.e. v14

Possible solutions could be:
  1. Reporting this to Safari & raising an RM for tracking pu= rposes.
  2. Suggesting Safari users to make below changes in config.py = or config_distro for the work around:
SESSION_COOKIE_SAMESITE = =3D None
SESSION_COOKIE_SECURE =3D True

(As we aren= 9;t going through any cross-site cookie transfer, this can be a handy optio= n - but still risky..)

I would suggest going with = the 1st option or combination of both, but with caution.

Others must have come across this issue already. = Is it a known bug, documented somewhere (ideally on apple.com)?
=C2=A0
--
=
Dave Page
Blog: http://pgsnake.blogspot.com
Twit= ter: @pgsnake

EDB: http://www.enterprisedb.com



--
Rahul Shirsat
Software Engineer=C2= =A0|=C2=A0EnterpriseDB=C2=A0Corporation.


--


--
Rahul Shirsat
Software Engineer=C2= =A0|=C2=A0EnterpriseDB=C2=A0Corporation.


--
Rahul Shirsat
Software Engineer=C2= =A0|=C2=A0EnterpriseDB=C2=A0Corporation.


--


--
Rahul Shirsat
Software Engineer=C2=A0|=C2=A0EnterpriseDB=C2=A0Corporation.=
--0000000000004036b405b58b837e--