Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1kjdMK-0003wZ-Ue for pgadmin-hackers@arkaria.postgresql.org; Mon, 30 Nov 2020 07:12:29 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.92) (envelope-from ) id 1kjdMJ-0006a2-OR for pgadmin-hackers@arkaria.postgresql.org; Mon, 30 Nov 2020 07:12:27 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1kjdMJ-0006Zv-2K for pgadmin-hackers@lists.postgresql.org; Mon, 30 Nov 2020 07:12:27 +0000 Received: from mail-qk1-x72b.google.com ([2607:f8b0:4864:20::72b]) by makus.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.92) (envelope-from ) id 1kjdMB-0008FQ-IP for pgadmin-hackers@postgresql.org; Mon, 30 Nov 2020 07:12:25 +0000 Received: by mail-qk1-x72b.google.com with SMTP id u4so9956267qkk.10 for ; Sun, 29 Nov 2020 23:12:19 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=enterprisedb-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=u60foRmDP5B3RP6G8NRi3Gl/qwjovoA41Hn5R+r3aTQ=; b=sT12OaPLHiNYpiTVRwW1QX4M4X7DmOTWrgdsivTo0veDx6UrzpyMcWcyOyF1PbM5sk 8yBjt3fTy4O9x7wWC/UzKHptdyz0yC9XbphGBgsrk5ryFFs+cACWgOpe4IyHXZmXdSWT GCHWsMajprzGYhRi4PFlAKoi1JZFHE8BJGsQ5QjoliD+Ni+rvcHIUsDK/hbkQn5c+EmE xYyJR78s+bz53dN0eVLF1bjK/QnR43UTpneEDuxLTGiXrUs0/SUon4krdoRbYkEm4Mg2 8TCVXc4OrkoZdLcMN3lIRtGpLVyW8NdKpHQOzvkLWUWblCgWbKJct0d0B8Gc7hiswGd9 jZLg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=u60foRmDP5B3RP6G8NRi3Gl/qwjovoA41Hn5R+r3aTQ=; b=jWxTgD6MEms0qs6O0xkne3a521rtMI6RfUQgcJeDRJQfP7TuqilMsWUqIYR6ZBM5c9 9I6jyd1IJs35zaOZYQNLqUz+VGJu/Grm2Lm8EBMRmOgG9gVz257tNbBSpwFuOU2RAgHK n3Zqxh3OclM/1C3ixse3D9FNlJeazMtPaxi8kbWSr55jFgpu+lGew0Cb32r0qjgesBl2 30gucRYbY66A8g00lZaEovfr5z/kfMMfl2XMWjmOf3fzI8zCc8d4fr5w+lBsMxX2P7ZN wCzzwBTuFSXbyJLvOvEK+Ab6Gam7UnU2S+eCtcYXWLqUvPzyieUzS4LohusHMJyoe/pV QmCA== X-Gm-Message-State: AOAM531Fl6zB+BlF5eIgeyv12oqghuBrklpDkpaTt/z8C4KdUPLXHwIa SH/67K0Nask7BMWdmgpesQEZZB6s2O55Jd3jRyXDiRreHM0xSinw5Tkp0Fd+mxuTBZCMukUxfhq CXM36+yZuAyuTFVIXRng+JKO9uOe41RgAJo9Uq6cnovGFM1hjVNwVgcIBNWrxIxzCKUtt0zKa7r o26BP6bEK2DARpGFt92UWcJDxipqsNgiY63S6S3s85abc+8usyev+w4UgBBw5jf9gAXvH36wI= X-Google-Smtp-Source: ABdhPJwOYUkvIOpxiL2tLpLbPhA/PHqcB+zVLa3VNjcPPX8FLvbkx6SLmvu8gp9DMLhiAx9Smx9zrEUZsegHQ/3nphU= X-Received: by 2002:a05:620a:2e8:: with SMTP id a8mr22352168qko.144.1606720338245; Sun, 29 Nov 2020 23:12:18 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: From: Rahul Shirsat Date: Mon, 30 Nov 2020 12:41:42 +0530 Message-ID: Subject: Re: SameSite issues in Safari Browser (reference #RM5975) To: Dave Page Cc: pgadmin-hackers Content-Type: multipart/alternative; boundary="00000000000003d18d05b54dbb02" X-CLOUD-SEC-AV-Info: enterprisedb,google_mail,monitor X-CLOUD-SEC-AV-Sent: true X-Gm-Spam: 0 X-Gm-Phishy: 0 List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Precedence: bulk --00000000000003d18d05b54dbb02 Content-Type: text/plain; charset="UTF-8" Dave, There are issues discussed on Apple forums, check this out: https://developer.apple.com/forums/thread/129064 - The latest comment by the user here is one month ago, meaning the issue is still not fixed yet. https://developer.apple.com/forums/thread/658688 - Users facing this issue in v13.x Even webkit has confirmed about this issue : https://bugs.webkit.org/show_bug.cgi?id=198181 - Users facing this issue in v12.x On Thu, Nov 26, 2020 at 6:57 PM Dave Page wrote: > Hi > > On Wed, Nov 25, 2020 at 10:37 AM Rahul Shirsat < > rahul.shirsat@enterprisedb.com> wrote: > >> Hi Dave, >> >> Due to SameSite security issues in Safari Browser, some of the pgadmin4 >> functionality isn't working (mostly the new tab functionality). >> >> The affected Safari Browser versions (marked in red) currently tested >> upon are: >> >> 1. v11.1.2 >> 2. v12.1 >> 3. v12.1.1 >> 4. 13.1 >> 5. 14.0.1 >> >> Since v12, Safari have done some security fixes, due to which this issue >> has occurred. Strangely, the issue is not reproducible on v13, but >> reproducible on its successor i.e. v14 >> >> Possible solutions could be: >> >> 1. Reporting this to Safari & raising an RM for tracking purposes. >> 2. Suggesting Safari users to make below changes in config.py or >> config_distro for the work around: >> >> *SESSION_COOKIE_SAMESITE = None* >> >> *SESSION_COOKIE_SECURE = True* >> (As we aren't going through any cross-site cookie transfer, this can be a >> handy option - but still risky..) >> >> I would suggest going with the 1st option or combination of both, but >> with caution. >> > > Others must have come across this issue already. Is it a known bug, > documented somewhere (ideally on apple.com)? > > -- > Dave Page > Blog: http://pgsnake.blogspot.com > Twitter: @pgsnake > > EDB: http://www.enterprisedb.com > > -- *Rahul Shirsat* Software Engineer | EnterpriseDB Corporation. --00000000000003d18d05b54dbb02 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Dave,

There are issues discussed on App= le forums, check this out:

https://developer.apple.com/forums/th= read/129064=C2=A0- The latest comment by the user here is one month ago= , meaning the issue is still not fixed yet.
https://developer.apple.com/for= ums/thread/658688=C2=A0- Users facing this issue in v13.x=C2=A0

Even webkit has confirmed about this issue :=C2=A0https://bugs.webkit.o= rg/show_bug.cgi?id=3D198181=C2=A0- Users facing this issue in v12.x

On Thu, Nov 26, 2020 at 6:57 PM Dave Page <dpage@pgadmin.org> wrote:
Hi

On Wed, Nov = 25, 2020 at 10:37 AM Rahul Shirsat <rahul.shirsat@enterprisedb.com> wrot= e:
Hi Dave,

Due to SameSite security issues in Safari= =C2=A0Browser, some of the pgadmin4 functionality isn't working (mostly= the new tab functionality).

The affected Safari B= rowser versions (marked in red) currently tested upon are:
    v11.1.2
  1. v12.1
  2. v12.1.1
  3. 13.1
  4. 14.0.1
Since v12, Safari = have done some security fixes, due to which this issue has occurred. Strang= ely, the issue is not reproducible on v13, but reproducible=C2=A0on its suc= cessor i.e. v14

Possible solutions could be:=
  1. Reporting this to Safari & raising an RM for trackin= g purposes.
  2. Suggesting Safari users to make below changes in config= .py or config_distro for the work around:
SESSION_COOKIE_SAME= SITE =3D None
SESSION_COOKIE_SECURE =3D True

(As we ar= en't going through any cross-site cookie transfer, this can be a handy = option - but still risky..)

I would suggest going = with the 1st option or combination of both, but with caution.

Others must have come across this issue alre= ady. Is it a known bug, documented somewhere (ideally on apple.com)?
=C2=A0
--=
Dave Page
Blog: http://pgsnake.blogspot.comTwitter: @pgsnake

EDB: http://www.enterprisedb.com



--
Rahul Shirsat
Software Engineer=C2=A0|=C2=A0EnterpriseDB=C2=A0Corporation.=
--00000000000003d18d05b54dbb02--