Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1kjjjX-0000Ca-8u for pgadmin-hackers@arkaria.postgresql.org; Mon, 30 Nov 2020 14:00:51 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.92) (envelope-from ) id 1kjjjW-0008SE-5r for pgadmin-hackers@arkaria.postgresql.org; Mon, 30 Nov 2020 14:00:50 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1kjjjV-0008RT-Q5 for pgadmin-hackers@lists.postgresql.org; Mon, 30 Nov 2020 14:00:50 +0000 Received: from mail-qt1-x82c.google.com ([2607:f8b0:4864:20::82c]) by makus.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.92) (envelope-from ) id 1kjjjS-0003Cr-It for pgadmin-hackers@postgresql.org; Mon, 30 Nov 2020 14:00:48 +0000 Received: by mail-qt1-x82c.google.com with SMTP id 7so8152394qtp.1 for ; Mon, 30 Nov 2020 06:00:46 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=enterprisedb-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=9tjo4YCpQS385pqcIfU98ppEdST/ikBPOZxsBV6hDyU=; b=oQT1qx+Z41zqKTPgrQgiLocUNuQ92PVNRNNCeaQRScjO5nxEJK5VnORxY1GsW24Pyl qD5PlISzJHu37D9p91kPiG+sVdtD0SO6nPI3LqKdxriPCvhwM2RshWfaHIM0Ey+HNntB 9kgL8EYu4Ley2FC5o2s0oeEOTTsVesnFujkM8DOHbDmk8FAkI+F3lgkR1xBEGPGPDCxO HqU5Bpwib69a3dwieXoSM7kPdVKW6q1HPY6jraOSaiaRJ2ev5GJ0YFVfPITHzCi55Jsm ti6oMCSabPSUnrkvnQMwxpycDqfhqFTiWB0mHLp7X54lf8vIK0SRC2LANVwhI3yyhTBM 8P1w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=9tjo4YCpQS385pqcIfU98ppEdST/ikBPOZxsBV6hDyU=; b=umkA+Pc0TdGgqvKU2PsAO+wGll2NqXh5A9maNtF7lWNhY8HHSL68+mpfXRduXiTf52 JuA7B03K8RHBOQY1IiCKuQHMsXeyXYFuaBz4ZjtIU3cAxfjvLq6+u+tFrShoe0O9tM6V NiOSctok0N9wMzcPQhDDQ3ojXS0nxbvsKnm1DGdtJXmBsNS3Tpxv65g1VMCdSvd4YtNX ed7+Y+XGUr0ax6Aj5snqijwvemeMVsfW9cL8MJBq+VO7ZVSkYvhGYo8Aunu06O0QM5wy A8D1Z6emHZ/vGCpAXxney6RyAE4BzZ8xEnrDInacfaZorjyeFc654fRFXOMP6lGbUTgq 5YxQ== X-Gm-Message-State: AOAM532V6pGYPsE9+BmjOi2geb9bGAs2abGdP8p3mKBUBcb5dQ2aZ4is bSeek7hUQzQ2eQgtQG6yP/n5ZJTpM/EaEE2bLY+RKxDRQ/tjhAzxWSDtN/BMzAtH/H4FwopFpcP HKJEkkdG/NZwGpXkUDw5IHW4OZOVSSCxoyjj+cHgY75b9CMw0US9gHHBxlDJfa/d16E2BJSr64z v5of4EAoY4weVHLlEV4tCLbzf3FUdCSVNHyNvrcYdRFbRjpPal9hC+0ynTgQ== X-Google-Smtp-Source: ABdhPJwT2evY2uge0DGimQ14zKCJFYsdn6qNCQ0tDtac1Vi6ysedxtb6uJvFSZRf5cMRXWbgWF0TM90cNxY2FA00578= X-Received: by 2002:ac8:370e:: with SMTP id o14mr21876082qtb.195.1606744840458; Mon, 30 Nov 2020 06:00:40 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: From: Rahul Shirsat Date: Mon, 30 Nov 2020 19:30:04 +0530 Message-ID: Subject: Re: SameSite issues in Safari Browser (reference #RM5975) To: Dave Page Cc: pgadmin-hackers Content-Type: multipart/alternative; boundary="00000000000075efc405b5536fda" X-CLOUD-SEC-AV-Info: enterprisedb,google_mail,monitor X-CLOUD-SEC-AV-Sent: true X-Gm-Spam: 0 X-Gm-Phishy: 0 List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Precedence: bulk --00000000000075efc405b5536fda Content-Type: text/plain; charset="UTF-8" This was the part of our internal quality testing, where it got encountered. Currently, none of the users have complained about this on their specific browser versions. On Mon, Nov 30, 2020 at 5:12 PM Dave Page wrote: > Hi > > On Mon, Nov 30, 2020 at 7:12 AM Rahul Shirsat < > rahul.shirsat@enterprisedb.com> wrote: > >> Dave, >> >> There are issues discussed on Apple forums, check this out: >> >> https://developer.apple.com/forums/thread/129064 - The latest comment by >> the user here is one month ago, meaning the issue is still not fixed yet. >> https://developer.apple.com/forums/thread/658688 - Users facing this >> issue in v13.x >> >> Even webkit has confirmed about this issue : >> https://bugs.webkit.org/show_bug.cgi?id=198181 - Users facing this issue >> in v12.x >> > > In that case, I think the answer (for now at least) is an FAQ, referencing > those issues and explaining how to resolve the issue using config_system.py > or by using a different browser. > > Have we actually seen this issue in wild? > > > >> >> On Thu, Nov 26, 2020 at 6:57 PM Dave Page wrote: >> >>> Hi >>> >>> On Wed, Nov 25, 2020 at 10:37 AM Rahul Shirsat < >>> rahul.shirsat@enterprisedb.com> wrote: >>> >>>> Hi Dave, >>>> >>>> Due to SameSite security issues in Safari Browser, some of the pgadmin4 >>>> functionality isn't working (mostly the new tab functionality). >>>> >>>> The affected Safari Browser versions (marked in red) currently tested >>>> upon are: >>>> >>>> 1. v11.1.2 >>>> 2. v12.1 >>>> 3. v12.1.1 >>>> 4. 13.1 >>>> 5. 14.0.1 >>>> >>>> Since v12, Safari have done some security fixes, due to which this >>>> issue has occurred. Strangely, the issue is not reproducible on v13, but >>>> reproducible on its successor i.e. v14 >>>> >>>> Possible solutions could be: >>>> >>>> 1. Reporting this to Safari & raising an RM for tracking purposes. >>>> 2. Suggesting Safari users to make below changes in config.py or >>>> config_distro for the work around: >>>> >>>> *SESSION_COOKIE_SAMESITE = None* >>>> >>>> *SESSION_COOKIE_SECURE = True* >>>> (As we aren't going through any cross-site cookie transfer, this can be >>>> a handy option - but still risky..) >>>> >>>> I would suggest going with the 1st option or combination of both, but >>>> with caution. >>>> >>> >>> Others must have come across this issue already. Is it a known bug, >>> documented somewhere (ideally on apple.com)? >>> >>> -- >>> Dave Page >>> Blog: http://pgsnake.blogspot.com >>> Twitter: @pgsnake >>> >>> EDB: http://www.enterprisedb.com >>> >>> >> >> -- >> *Rahul Shirsat* >> Software Engineer | EnterpriseDB Corporation. >> > > > -- > Dave Page > Blog: http://pgsnake.blogspot.com > Twitter: @pgsnake > > EDB: http://www.enterprisedb.com > > -- *Rahul Shirsat* Software Engineer | EnterpriseDB Corporation. --00000000000075efc405b5536fda Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
This was the part of our internal quality testing, where i= t got encountered. Currently, none of the users have complained about this = on their specific browser versions.

On Mon, Nov 30, 2020 at 5:12 PM Dave Pag= e <dpage@pgadmin.org> wrote:=
Hi

On Mon, Nov 30, 2020 at 7:12 AM Rahul Shirsat <rahul.shirsat@enterpris= edb.com> wrote:
Dave,

There are issues discussed= on Apple forums, check this out:

https://deve= loper.apple.com/forums/thread/129064=C2=A0- The latest comment by the u= ser here is one month ago, meaning the issue is still not fixed yet.
https://developer.apple.com/forums/thread/658688=C2=A0- Use= rs facing this issue in v13.x=C2=A0

Even webkit ha= s confirmed about this issue :=C2=A0https://bugs.webkit.org/show_bug.cg= i?id=3D198181=C2=A0- Users facing this issue in v12.x

In that case, I think the answer (for now at lea= st) is an FAQ, referencing those issues and explaining how to resolve the i= ssue using config_system.py or by using a different browser.

=
Have we actually seen this issue in wild?

=C2=A0

On Thu, Nov 26, = 2020 at 6:57 PM Dave Page <dpage@pgadmin.org> wrote:
Hi

=
On Wed, No= v 25, 2020 at 10:37 AM Rahul Shirsat <rahul.shirsat@enterprisedb.com> wr= ote:
Hi Dave,

Due to SameSite security issues in Safari= =C2=A0Browser, some of the pgadmin4 functionality isn't working (mostly= the new tab functionality).

The affected Safari B= rowser versions (marked in red) currently tested upon are:
    v11.1.2
  1. v12.1
  2. v12.1.1
  3. 13.1
  4. 14.0.1
Since v12, Safari = have done some security fixes, due to which this issue has occurred. Strang= ely, the issue is not reproducible on v13, but reproducible=C2=A0on its suc= cessor i.e. v14

Possible solutions could be:=
  1. Reporting this to Safari & raising an RM for trackin= g purposes.
  2. Suggesting Safari users to make below changes in config= .py or config_distro for the work around:
SESSION_COOKIE_SAME= SITE =3D None
SESSION_COOKIE_SECURE =3D True

(As we ar= en't going through any cross-site cookie transfer, this can be a handy = option - but still risky..)

I would suggest going = with the 1st option or combination of both, but with caution.

Others must have come across this issue alre= ady. Is it a known bug, documented somewhere (ideally on apple.com)?
=C2=A0
--=
Dave Page
Blog: http://pgsnake.blogspot.comTwitter: @pgsnake

EDB: http://www.enterprisedb.com



--
Rahul Shirsat
Software Engineer=C2= =A0|=C2=A0EnterpriseDB=C2=A0Corporation.


--


--
Rahul Shirsat
Software Engineer=C2=A0|=C2=A0EnterpriseDB=C2=A0Corporation.=
--00000000000075efc405b5536fda--