Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1kkmpL-0000ld-4Y for pgadmin-hackers@arkaria.postgresql.org; Thu, 03 Dec 2020 11:31:11 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.92) (envelope-from ) id 1kkmpI-0001LL-FN for pgadmin-hackers@arkaria.postgresql.org; Thu, 03 Dec 2020 11:31:08 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1kkmpI-0001LE-2d for pgadmin-hackers@lists.postgresql.org; Thu, 03 Dec 2020 11:31:08 +0000 Received: from mail-qv1-xf35.google.com ([2607:f8b0:4864:20::f35]) by magus.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.92) (envelope-from ) id 1kkmp9-0005cg-C1 for pgadmin-hackers@postgresql.org; Thu, 03 Dec 2020 11:31:07 +0000 Received: by mail-qv1-xf35.google.com with SMTP id ec16so749180qvb.0 for ; Thu, 03 Dec 2020 03:30:58 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=enterprisedb-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=/eRcRv30MJty3Qmag4syoz46lfQdPTOeYHKZRbmutho=; b=B2v5nXswaWP78dqjgAxjrJ11ibXkZN/MTy43HbDNJZndCZT+WQodeik0F6sEf3nPzQ QRotDXLLSgbHf4dbaON/6eSea6mOZu22XMssZP7Ufv2zpRFX0f0itA4Z3UUkK1k4D5rw TAYwZkCHAn4i5H5HyO4sJPT7fIwpnWRv9xbUDwNtI3EIK7Y8cVB1uNliaVn84ciWRJxP 5xtLOEWEFdykVdtRXxBClAU3vnqTt70V36BkE9mgNWUFvfxeVzsWQ+0LXDtslDuTCsiE mWKqBKM1v2xvG87eMnaCUTVCdmaVoI57tAHuxAP4QI1Rit1fJ5Cte6a37xX2eZWRPtFR It2A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=/eRcRv30MJty3Qmag4syoz46lfQdPTOeYHKZRbmutho=; b=naUwWJpq66uShzWNbpp4wGEQTD2j5IJpshuqqdkMStm+jncL0bbYM3tXaeu4Z40CRl MtWCebx9yZrgAqT8KWYnX4Fz63DnhGyS3Lf/XEpHCuNEXhkrh/qrvAWq/984gAgVwTrc RrDz2MUFJMNGvd3J9NDHZ8vfz1b+tfDILljJeF8/dFaaK5CFItW8AzwPP5DvCjU5zedF Qq8+bOeJrH7EBarhlGmL38DhXCgm5RE/Yp/NhHQygjVG59D2U64sJtTtcOcc75jy61ho 4d7yC+PV4Snm4w2y6z6ppYUskH5PUVvZF6yOZO2WR5CaCbLepDm+IttAohH+WY54MdgH Xxaw== X-Gm-Message-State: AOAM5308z5K+y91ww6C9ouqmFHv5NoAV2f/pqGuAgRf/WScJba3zE/9M HI+XaJjhViCHjtuVhXrUufBd+LEEJD9PswlFuxsChubyUa4ctO/dCqqcGVelQPFmSmz7ceezepS 2Z87/ctDLKLHg7F4jcWaN5pzzhMLvZIrr7ybdJu4rkM8UzKZaDdLLkOP/6Vty1gFM0sLOWdxguv 5AwwZLBsO77qHWxcMZzhnm959vzRc+StU9DqBf9TGErFaXENKGTkYyALP81w== X-Google-Smtp-Source: ABdhPJzy4tBQvnV/Y5f4yVS/2icqPGG56QRLptuP0u8fq4XUJr7Iw41dp4jdIKDENoTURhm8bURNNSd77wsTUysyqLw= X-Received: by 2002:ad4:4e47:: with SMTP id eb7mr2618623qvb.39.1606995057110; Thu, 03 Dec 2020 03:30:57 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: From: Rahul Shirsat Date: Thu, 3 Dec 2020 17:00:20 +0530 Message-ID: Subject: Re: SameSite issues in Safari Browser (reference #RM5975) To: Dave Page Cc: pgadmin-hackers Content-Type: multipart/alternative; boundary="000000000000890be405b58db1f6" X-CLOUD-SEC-AV-Info: enterprisedb,google_mail,monitor X-CLOUD-SEC-AV-Sent: true X-Gm-Spam: 0 X-Gm-Phishy: 0 List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Precedence: bulk --000000000000890be405b58db1f6 Content-Type: text/plain; charset="UTF-8" Thanks Dave. I have closed the issue. On Thu, Dec 3, 2020 at 3:02 PM Dave Page wrote: > Hi > > Please check: https://www.pgadmin.org/faq/#13 > > On Thu, Dec 3, 2020 at 8:54 AM Rahul Shirsat < > rahul.shirsat@enterprisedb.com> wrote: > >> Dave, >> >> Please find below corrected faq details. >> >> Category : Troubleshooting >> >> Question : >> When I set new tab settings for query tool or schema-diff, I get >> "Connection to server lost" or "CSRF tokens do not match" on Safari >> versions >= 12 >> >> Answer: >>

This has been seen mostly on Safari browser versions >= 12. It's >> reported that from v12 of CFNetwork/Safari/Webkit erroneously handle >> "Samesite=none" as the equivalent of "Samesite=strict". It means, Safari >> recognizes the SameSite option starting with version 12, but their >> implementation has a bug: It interprets invalid values as if >> SameSite=Strict had been specified, and for it only Strict and Lax are >> valid values, as the older specification did not yet specify None

>> >>

To solve this issue, we need to override the SameSite security >> settings, for this, create a file called config_system.py (for location to >> create the file, refer The >> config.py file). This file can be used to override any of the settings >> in config.py (which shouldn't be edited). The config_system.py should have >> the below code:

>> >> 
>>     SESSION_COOKIE_SAMESITE = None
>>     SESSION_COOKIE_SECURE = True
>>
>>

Note that these changes are not recommended, and we highly >> recommend users to use a different browser until the issue gets resolved >> from Apple. >> >> Removed the OS specific condition to make it generic for all >> distributions. >> Added a warning note at the last of the faq. >> >> On Wed, Dec 2, 2020 at 4:33 PM Dave Page wrote: >> >>> Hi >>> >>> On Tue, Dec 1, 2020 at 5:51 PM Rahul Shirsat < >>> rahul.shirsat@enterprisedb.com> wrote: >>> >>>> Hi Dave, >>>> >>>> Could you please add below FAQ point for SameSite Safari issue: >>>> >>>> Question : >>>> When I set new tab settings for query tool or schema-diff, I get >>>> "Connection to server lost" or "CSRF tokens do not match" on Safari >>>> versions >= 12 >>>> >>>> Answer: >>>>

This has been seen mostly on Safari browser versions >= 12. It's >>>> reported that from v12 of CFNetwork/Safari/Webkit erroneously handle >>>> "Samesite=none" as the equivalent of "Samesite=strict". It means, Safari >>>> recognizes the SameSite option starting with version 12, but their >>>> implementation has a bug: It interprets invalid values as if >>>> SameSite=Strict had been specified, and for it only Strict and Lax are >>>> valid values, as the older specification did not yet specify None

>>>> >>>>

To solve this issue, we need to override the SameSite security >>>> settings, for this, create a file called config_system.py in the web/ >>>> directory of the installation, alongside the existing config.py. This file >>>> can be used to override any of the settings in config.py (which shouldn't >>>> be edited). The config_system.py should have the below code:

>>>> >>> >>> We could certainly add something like that, though, config_system.py >>> doesn't go alongside config.py so that part of the text needs fixing. >>> >>> >>>> >>>> 
>>>> import sys
>>>>
>>>> # Targeting only macOS
>>>> if sys.platform.startswith('darwin'):
>>>>     SESSION_COOKIE_SAMESITE = None
>>>>     SESSION_COOKIE_SECURE = True
>>>>
>>>> >>>> Do suggest or add any points if I am missing them. >>>> >>> >>> And that is not going to work in Server mode, only Desktop. >>> >>> >>> >>>> >>>> Also, let me know once this is done, So that I will close the ticket. >>>> >>>> -- >>>> *Rahul Shirsat* >>>> Senior Software Engineer | EnterpriseDB Corporation. >>>> >>>> On Mon, Nov 30, 2020 at 7:30 PM Rahul Shirsat < >>>> rahul.shirsat@enterprisedb.com> wrote: >>>> >>>>> This was the part of our internal quality testing, where it got >>>>> encountered. Currently, none of the users have complained about this on >>>>> their specific browser versions. >>>>> >>>>> On Mon, Nov 30, 2020 at 5:12 PM Dave Page wrote: >>>>> >>>>>> Hi >>>>>> >>>>>> On Mon, Nov 30, 2020 at 7:12 AM Rahul Shirsat < >>>>>> rahul.shirsat@enterprisedb.com> wrote: >>>>>> >>>>>>> Dave, >>>>>>> >>>>>>> There are issues discussed on Apple forums, check this out: >>>>>>> >>>>>>> https://developer.apple.com/forums/thread/129064 - The latest >>>>>>> comment by the user here is one month ago, meaning the issue is still not >>>>>>> fixed yet. >>>>>>> https://developer.apple.com/forums/thread/658688 - Users facing >>>>>>> this issue in v13.x >>>>>>> >>>>>>> Even webkit has confirmed about this issue : >>>>>>> https://bugs.webkit.org/show_bug.cgi?id=198181 - Users facing this >>>>>>> issue in v12.x >>>>>>> >>>>>> >>>>>> In that case, I think the answer (for now at least) is an FAQ, >>>>>> referencing those issues and explaining how to resolve the issue using >>>>>> config_system.py or by using a different browser. >>>>>> >>>>>> Have we actually seen this issue in wild? >>>>>> >>>>>> >>>>>> >>>>>>> >>>>>>> On Thu, Nov 26, 2020 at 6:57 PM Dave Page wrote: >>>>>>> >>>>>>>> Hi >>>>>>>> >>>>>>>> On Wed, Nov 25, 2020 at 10:37 AM Rahul Shirsat < >>>>>>>> rahul.shirsat@enterprisedb.com> wrote: >>>>>>>> >>>>>>>>> Hi Dave, >>>>>>>>> >>>>>>>>> Due to SameSite security issues in Safari Browser, some of the >>>>>>>>> pgadmin4 functionality isn't working (mostly the new tab functionality). >>>>>>>>> >>>>>>>>> The affected Safari Browser versions (marked in red) currently >>>>>>>>> tested upon are: >>>>>>>>> >>>>>>>>> 1. v11.1.2 >>>>>>>>> 2. v12.1 >>>>>>>>> 3. v12.1.1 >>>>>>>>> 4. 13.1 >>>>>>>>> 5. 14.0.1 >>>>>>>>> >>>>>>>>> Since v12, Safari have done some security fixes, due to which this >>>>>>>>> issue has occurred. Strangely, the issue is not reproducible on v13, but >>>>>>>>> reproducible on its successor i.e. v14 >>>>>>>>> >>>>>>>>> Possible solutions could be: >>>>>>>>> >>>>>>>>> 1. Reporting this to Safari & raising an RM for tracking >>>>>>>>> purposes. >>>>>>>>> 2. Suggesting Safari users to make below changes in config.py >>>>>>>>> or config_distro for the work around: >>>>>>>>> >>>>>>>>> *SESSION_COOKIE_SAMESITE = None* >>>>>>>>> >>>>>>>>> *SESSION_COOKIE_SECURE = True* >>>>>>>>> (As we aren't going through any cross-site cookie transfer, this >>>>>>>>> can be a handy option - but still risky..) >>>>>>>>> >>>>>>>>> I would suggest going with the 1st option or combination of both, >>>>>>>>> but with caution. >>>>>>>>> >>>>>>>> >>>>>>>> Others must have come across this issue already. Is it a known bug, >>>>>>>> documented somewhere (ideally on apple.com)? >>>>>>>> >>>>>>>> -- >>>>>>>> Dave Page >>>>>>>> Blog: http://pgsnake.blogspot.com >>>>>>>> Twitter: @pgsnake >>>>>>>> >>>>>>>> EDB: http://www.enterprisedb.com >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> -- >>>>>>> *Rahul Shirsat* >>>>>>> Software Engineer | EnterpriseDB Corporation. >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Dave Page >>>>>> Blog: http://pgsnake.blogspot.com >>>>>> Twitter: @pgsnake >>>>>> >>>>>> EDB: http://www.enterprisedb.com >>>>>> >>>>>> >>>>> >>>>> -- >>>>> *Rahul Shirsat* >>>>> Software Engineer | EnterpriseDB Corporation. >>>>> >>>> >>>> >>>> -- >>>> *Rahul Shirsat* >>>> Software Engineer | EnterpriseDB Corporation. >>>> >>> >>> >>> -- >>> Dave Page >>> Blog: http://pgsnake.blogspot.com >>> Twitter: @pgsnake >>> >>> EDB: http://www.enterprisedb.com >>> >>> >> >> -- >> *Rahul Shirsat* >> Software Engineer | EnterpriseDB Corporation. >> > > > -- > Dave Page > Blog: http://pgsnake.blogspot.com > Twitter: @pgsnake > > EDB: http://www.enterprisedb.com > > -- *Rahul Shirsat* Software Engineer | EnterpriseDB Corporation. --000000000000890be405b58db1f6 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Thanks Dave.

I have closed the issue.

On Thu, Dec 3, 2020 at 3:02 PM Dave Page <dpage@pgadmin.org> wrote:
Hi


On Thu, Dec 3, 2020 at 8:54 AM Rahul= Shirsat <rahul.shirsat@enterprisedb.com> wrote:
Dave,

Please find below corrected faq details.

Category= : Troubleshooting

Question :=C2=A0
When I set new tab settings for query tool or schema-diff, I get "Con= nection to server lost" or "CSRF tokens do not match" on Saf= ari versions >=3D 12

Answer:
<= p>This has been seen mostly on Safari browser versions >=3D 12. It= 9;s reported that from v12 of CFNetwork/Safari/Webkit erroneously handle &q= uot;Samesite=3Dnone" as the equivalent of "Samesite=3Dstrict"= ;. It means, Safari recognizes the SameSite option starting with version 12= , but their implementation has a bug: It interprets invalid values as if Sa= meSite=3DStrict had been specified, and for it only Strict and Lax are vali= d values, as the older specification did not yet specify None</p>
=
<p>To solve this issue, we need to override the SameSite security= settings, for this, create a file called config_system.py (for location to= create the file, refer <a href=3D"https://www.= pgadmin.org/docs/pgadmin4/development/config_py.html">The confi= g.py file</a>). This file can be used to override any of the settings= in config.py (which shouldn't be edited). The config_system.py should = have the below code:</p>

<pre>
=C2=A0 =C2=A0 SESSION_= COOKIE_SAMESITE =3D None
=C2=A0 =C2=A0 SESSION_COOKIE_SECURE =3D True</pre>
<p><i>Note that these changes are not recommen= ded, and we highly recommend users to use a different browser until the iss= ue gets resolved from Apple.</i>

R= emoved the OS specific condition to make it generic for all distributions.<= /div>
Added a warning note at the last of the faq.
On Wed, D= ec 2, 2020 at 4:33 PM Dave Page <dpage@pgadmin.org> wrote:
Hi

On Tue, Dec 1, 202= 0 at 5:51 PM Rahul Shirsat <rahul.shirsat@enterprisedb.com> wrote:
Hi Dave,

Could you please add below FAQ point for= SameSite Safari issue:

Question :=C2=A0
When I set new tab settings for query tool or schema-diff, I get "Con= nection to server lost" or "CSRF tokens do not match" on Saf= ari versions >=3D 12

Answer:
<= p>This has been seen mostly on Safari browser versions >=3D 12. It= 9;s reported that from v12 of CFNetwork/Safari/Webkit erroneously handle &q= uot;Samesite=3Dnone" as the equivalent of "Samesite=3Dstrict"= ;. It means, Safari recognizes the SameSite option starting with version 12= , but their implementation has a bug: It interprets invalid values as if Sa= meSite=3DStrict had been specified, and for it only Strict and Lax are vali= d values, as the older specification did not yet specify None</p>
=
<p>To solve this issue, we need to override the SameSite security= settings, for this, create a file called config_system.py in the web/ dire= ctory of the installation, alongside the existing config.py. This file can = be used to override any of the settings in config.py (which shouldn't b= e edited). The config_system.py should have the below code:</p>

We could certainly add something= like that, though, config_system.py doesn't go alongside config.py so = that part of the text needs fixing.
=C2=A0

<pre>
i= mport sys

# Targeting only macOS
if sys.platform.startswith('= darwin'):
=C2=A0 =C2=A0 SESSION_COOKIE_SAMESITE =3D None
=C2=A0 = =C2=A0 SESSION_COOKIE_SECURE =3D True
</pre>

<= div>Do suggest or add any points if I am missing them.

And that is not going to work in Server mode, only = Desktop.

=C2=A0

Also, let me know= once this is done, So that I will close the ticket.

--
Rahul Shirsat
Senior Software Engineer=C2=A0|=C2=A0EnterpriseDB=C2=A0Corporation.=

On Mon, Nov 30, 2020 at 7:= 30 PM Rahul Shirsat <rahul.shirsat@enterprisedb.com> wrote:
This was th= e part of our internal quality testing, where it got encountered. Currently= , none of the users have complained about this on their specific browser ve= rsions.

On Mon, Nov 30, 2020 at 5:12 PM Dave Page <dpage@pgadmin.org> wrote:
=
Hi<= /div>
O= n Mon, Nov 30, 2020 at 7:12 AM Rahul Shirsat <rahul.shirsat@enterprisedb.com> wrote:
Dave,

There are issues discussed on Apple = forums, check this out:

https://developer.appl= e.com/forums/thread/129064=C2=A0- The latest comment by the user here i= s one month ago, meaning the issue is still not fixed yet.
https://developer.apple.com/forums/thread/658688=C2=A0- Users facing = this issue in v13.x=C2=A0

Even webkit has confirme= d about this issue :=C2=A0https://bugs.webkit.org/show_bug.cgi?id=3D198= 181=C2=A0- Users facing this issue in v12.x

In that case, I think the answer (for now at least) is an = FAQ, referencing those issues and explaining how to resolve the issue using= config_system.py or by using a different browser.

Have we actually seen this issue in wild?

=C2=A0<= /div>

On Thu, Nov 26, 2020 at 6:= 57 PM Dave Page <= dpage@pgadmin.org> wrote:
Hi

On Wed, Nov 25, 2020= at 10:37 AM Rahul Shirsat <rahul.shirsat@enterprisedb.com> wrote:
Hi D= ave,

Due to SameSite security issues in Safari=C2=A0Brow= ser, some of the pgadmin4 functionality isn't working (mostly the new t= ab functionality).

The affected Safari Browser ver= sions (marked in red) currently tested upon are:
  1. v11.1.2<= /li>
  2. v12.1
  3. v12.1.1
  4. 13.1
  5. 14.0.1
Since v12, Safari have done s= ome security fixes, due to which this issue has occurred. Strangely, the is= sue is not reproducible on v13, but reproducible=C2=A0on its successor i.e.= v14

Possible solutions could be:
=
  1. Reporting this to Safari & raising an RM for tracking purposes.=
  2. Suggesting Safari users to make below changes in config.py or conf= ig_distro for the work around:
SESSION_COOKIE_SAMESITE =3D Non= e
SESSION_COOKIE_SECURE =3D True

(As we aren't goi= ng through any cross-site cookie transfer, this can be a handy option - but= still risky..)

I would suggest going with the 1st= option or combination of both, but with caution.
<= div>
Others must have come across this issue already. Is it a= known bug, documented somewhere (ideally on apple.com)?
=C2=A0
--
Dave Page
Blog: http://pgsnake.blogspot.com
Twitter: @p= gsnake

EDB: http://www.enterprisedb.com



--
Rahul Shirsat
Software Engineer=C2= =A0|=C2=A0EnterpriseDB=C2=A0Corporation.


--


--
Rahul Shirsat
Software Engineer=C2= =A0|=C2=A0EnterpriseDB=C2=A0Corporation.


--
Rahul Shirsat
Software Engineer=C2= =A0|=C2=A0EnterpriseDB=C2=A0Corporation.


--


--
Rahul Shirsat
Software Engineer=C2= =A0|=C2=A0EnterpriseDB=C2=A0Corporation.


--


--
Rahul Shirsat
Software Engineer=C2=A0|=C2=A0EnterpriseDB=C2=A0Corporation.=
--000000000000890be405b58db1f6--