Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps
 (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256)
	(Exim 4.92)
	(envelope-from <pgadmin-hackers-owner+archive@lists.postgresql.org>)
	id 1kiCFd-0005LD-AX
	for pgadmin-hackers@arkaria.postgresql.org; Thu, 26 Nov 2020 08:03:37 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.92)
	(envelope-from <pgadmin-hackers-owner+archive@lists.postgresql.org>)
	id 1kiCFc-0007tf-4e
	for pgadmin-hackers@arkaria.postgresql.org; Thu, 26 Nov 2020 08:03:36 +0000
Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29])
	by malur.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256)
	(Exim 4.92)
	(envelope-from <rahul.shirsat@enterprisedb.com>)
	id 1kiCFb-0007tY-Os
	for pgadmin-hackers@lists.postgresql.org; Thu, 26 Nov 2020 08:03:35 +0000
Received: from mail-qt1-x82d.google.com ([2607:f8b0:4864:20::82d])
	by magus.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_128_GCM_SHA256:128)
	(Exim 4.92)
	(envelope-from <rahul.shirsat@enterprisedb.com>)
	id 1kiCFY-0002jN-QE
	for pgadmin-hackers@postgresql.org; Thu, 26 Nov 2020 08:03:35 +0000
Received: by mail-qt1-x82d.google.com with SMTP id m65so582145qte.11
        for <pgadmin-hackers@postgresql.org>;
 Thu, 26 Nov 2020 00:03:32 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=enterprisedb-com.20150623.gappssmtp.com; s=20150623;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=IAoK3okBSlGNqs7PDlIdhQDa8nEA7fsTic/Raa02MwU=;
        b=NGMu5LiD5clWyvkM+lJTtgSewu2pGd1q2RhiuuXufmL/PoogORt+Xu/Kb9d8oUqAEv
         PfaNNjI+an2XSObnTBlXUmygentJYVcGoEfPe2DLoyF4PvlZkLHBlUVLatZfyLRyByxB
         dba4TPtsJqD+37VL1RPGYbMcAvSQ29YthM3TsnpKpauY1dnWiMeFxxbDeVHO2HpshBao
         veslJXYSHIrNoAt2RObBtc5tY8Z/5NZDzBAyQrpAct7G8mqhUpoKQ99nR1cVCI2BIfPQ
         0J5ZCQtzv3Wy9zDpk5nRU5StNsC+fhJOkzuT5NfJe77kzD3U67GZWTgoMymHNIN9Nrpa
         Sp0A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=IAoK3okBSlGNqs7PDlIdhQDa8nEA7fsTic/Raa02MwU=;
        b=q0yLXFVO43qQ0RgefdUcmwpMZFec6XQrblnPKV0WvrFtYnOX1/cMy+KTKlIs0PSp20
         FRYXCAk6urq+Z58abmwnhDsjbz1hLm1ATdJzACVHDXocj7rQfutT6RmZR7BJ/5ONFBl6
         5hirmGHuq52kDgZ0tEuUoNphbe3BMDC3ao6vK2fVw7hOeFOJkTmsUBpscKmEMGcnyq1m
         AkynzI8Z1kSY8EL81qMKKt2+NGzL3XzAZ2foSUZp47lDQl/OSe5cScfjnZYUbif3rBtT
         Q38s4tlRATx85EIVvg2JmCUftwtFlrDM9iEOCvdImbP9F5xeMmLY+B7kfGsER1eb08p4
         1A5w==
X-Gm-Message-State: AOAM533vhsQqWpkrkIozHrVVzeE/iLMkYMLOBMzB8DW7FQxAY9XWFLtG
	kQbzG0ekLsXsRdtEQzuAMYiDMtyOObeMup20OAHqrfXd4kd/w64c1Wg4BpU7juFgTpaD5strj9i
	hZQIil3x6wqoLKZYiUjlO40ploW2royBf1dzymIkmoB3nCtGXj9CGi62RaX8nkxYisxzJGSEl09
	wLb5qnaY2QsDQtw1V2VOqMWVu2c3sRPhSX8w6TinUuWdiojlWPkiMsW2r/XQ==
X-Google-Smtp-Source: 
 ABdhPJxMp5ASS2rFxCNdp3GNXiV6zVifTq0Pvim8Z0+rXmXUSpBEehp8sozC3wjvyg8d1OCwMv/N7d9XClla9d+Y6Q0=
X-Received: by 2002:aed:3b7b:: with SMTP id q56mr1853277qte.377.1606377810275;
 Thu, 26 Nov 2020 00:03:30 -0800 (PST)
MIME-Version: 1.0
References: 
 <CAKtn9dNqZqKbOuwaE5Y94+_WG=NqTh+=oj1vYvdcbq7501b_NQ@mail.gmail.com>
 <CANxoLDeLQRyX-7pJVOLFCP71srvkov7i-_U_rNppWPV6hp8MTQ@mail.gmail.com>
In-Reply-To: 
 <CANxoLDeLQRyX-7pJVOLFCP71srvkov7i-_U_rNppWPV6hp8MTQ@mail.gmail.com>
From: Rahul Shirsat <rahul.shirsat@enterprisedb.com>
Date: Thu, 26 Nov 2020 13:32:53 +0530
Message-ID: 
 <CAKtn9dPRmE3WXm-mxmFtBc8wd1n-Uht1iXf2_AvPb8Bk18t10Q@mail.gmail.com>
Subject: Re: SameSite issues in Safari Browser (reference #RM5975)
To: Akshay Joshi <akshay.joshi@enterprisedb.com>
Cc: pgadmin-hackers <pgadmin-hackers@postgresql.org>
Content-Type: multipart/alternative; boundary="000000000000c1c8c705b4fdfa6c"
X-CLOUD-SEC-AV-Info: enterprisedb,google_mail,monitor
X-CLOUD-SEC-AV-Sent: true
X-Gm-Spam: 0
X-Gm-Phishy: 0
List-Id: <pgadmin-hackers.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgadmin-hackers@lists.postgresql.org>
List-Owner: <mailto:pgadmin-hackers-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgadmin-hackers>
Precedence: bulk

--000000000000c1c8c705b4fdfa6c
Content-Type: text/plain; charset="UTF-8"

Yes Akshay.

I think we should go ahead adding this approach in the pgadmin faqs, we
would not be fixing this in our code as we don't know when Apple would fix
its issue.

On Thu, Nov 26, 2020 at 11:27 AM Akshay Joshi <akshay.joshi@enterprisedb.com>
wrote:

> Hi Rahul
>
> On Wed, Nov 25, 2020 at 4:07 PM Rahul Shirsat <
> rahul.shirsat@enterprisedb.com> wrote:
>
>> Hi Dave,
>>
>> Due to SameSite security issues in Safari Browser, some of the pgadmin4
>> functionality isn't working (mostly the new tab functionality).
>>
>> The affected Safari Browser versions (marked in red) currently tested
>> upon are:
>>
>>    1. v11.1.2
>>    2. v12.1
>>    3. v12.1.1
>>    4. 13.1
>>    5. 14.0.1
>>
>> Since v12, Safari have done some security fixes, due to which this issue
>> has occurred. Strangely, the issue is not reproducible on v13, but
>> reproducible on its successor i.e. v14
>>
>> Possible solutions could be:
>>
>>    1. Reporting this to Safari & raising an RM for tracking purposes.
>>    2. Suggesting Safari users to make below changes in config.py or
>>    config_distro for the work around:
>>
>> *SESSION_COOKIE_SAMESITE = None*
>>
>> *SESSION_COOKIE_SECURE = True*
>> (As we aren't going through any cross-site cookie transfer, this can be a
>> handy option - but still risky..)
>>
>> I would suggest going with the 1st option or combination of both, but
>> with caution.
>>
>
>    In my opinion, we should go with both the options, as we have added the
> above settings for security purposes.
>
>>
>> --
>> *Rahul Shirsat*
>> Software Engineer | EnterpriseDB Corporation.
>>
>
>
> --
> *Thanks & Regards*
> *Akshay Joshi*
> *pgAdmin Hacker | Principal Software Architect*
> *EDB Postgres <http://edbpostgres.com>*
>
> *Mobile: +91 976-788-8246*
>


-- 
*Rahul Shirsat*
Software Engineer | EnterpriseDB Corporation.

--000000000000c1c8c705b4fdfa6c
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">Yes Akshay.<br><div><br></div><div>I think we should go ah=
ead adding this approach in the pgadmin faqs, we would not be fixing this i=
n our code as we don&#39;t know when Apple would fix its issue.</div></div>=
<br><div class=3D"gmail_quote"><div dir=3D"ltr" class=3D"gmail_attr">On Thu=
, Nov 26, 2020 at 11:27 AM Akshay Joshi &lt;<a href=3D"mailto:akshay.joshi@=
enterprisedb.com">akshay.joshi@enterprisedb.com</a>&gt; wrote:<br></div><bl=
ockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-lef=
t:1px solid rgb(204,204,204);padding-left:1ex"><div dir=3D"ltr"><div dir=3D=
"ltr">Hi=C2=A0Rahul</div><br><div class=3D"gmail_quote"><div dir=3D"ltr" cl=
ass=3D"gmail_attr">On Wed, Nov 25, 2020 at 4:07 PM Rahul Shirsat &lt;<a hre=
f=3D"mailto:rahul.shirsat@enterprisedb.com" target=3D"_blank">rahul.shirsat=
@enterprisedb.com</a>&gt; wrote:<br></div><blockquote class=3D"gmail_quote"=
 style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);p=
adding-left:1ex"><div dir=3D"ltr">Hi Dave,<div><br></div><div>Due to SameSi=
te security issues in Safari=C2=A0Browser, some of the pgadmin4 functionali=
ty isn&#39;t working (mostly the new tab functionality).</div><div><br></di=
v><div>The affected Safari Browser versions (marked in red) currently teste=
d upon are:</div><div><ol><li>v11.1.2</li><li><font color=3D"#ff0000">v12.1=
</font></li><li><font color=3D"#ff0000">v12.1.1</font></li><li><font color=
=3D"#000000">13.1</font></li><li><font color=3D"#ff0000">14.0.1</font></li>=
</ol><div>Since v12, Safari have done some security fixes, due to which thi=
s issue has occurred. Strangely, the issue is not reproducible on v13, but =
reproducible=C2=A0on its successor i.e. v14</div></div><div><br></div><div>=
Possible solutions could be:</div><div><ol><li>Reporting this to Safari &am=
p; raising an RM for tracking purposes.</li><li>Suggesting Safari users to =
make below changes in config.py or config_distro for the work around:</li><=
/ol></div><blockquote style=3D"margin:0px 0px 0px 40px;border:none;padding:=
0px"><i>SESSION_COOKIE_SAMESITE =3D None</i><br><i>SESSION_COOKIE_SECURE =
=3D True<br></i><br>(As we aren&#39;t going through any cross-site cookie t=
ransfer, this can be a handy option - but still risky..)<br><br></blockquot=
e><div>I would suggest going with the 1st option or combination of both, bu=
t with caution.</div></div></blockquote><div><br></div><div>=C2=A0 =C2=A0In=
 my opinion, we should go with both the options, as we have added the above=
 settings for security purposes.</div><blockquote class=3D"gmail_quote" sty=
le=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);paddi=
ng-left:1ex"><div dir=3D"ltr"><br><div></div><div>-- <br><div dir=3D"ltr"><=
div dir=3D"ltr"><div><div dir=3D"ltr"><div dir=3D"ltr"><div style=3D"color:=
rgb(0,0,0);font-family:Helvetica;font-size:12px"><b style=3D"color:rgb(96,9=
6,97)">Rahul Shirsat</b><br></div><div style=3D"color:rgb(0,0,0);font-famil=
y:Helvetica;font-size:12px"><font color=3D"#5f5e5f">Software Engineer=C2=A0=
|=C2=A0EnterpriseDB=C2=A0Corporation.</font></div></div></div></div></div><=
/div></div></div>
</blockquote></div><br clear=3D"all"><div><br></div>-- <br><div dir=3D"ltr"=
><div dir=3D"ltr"><div dir=3D"ltr"><div dir=3D"ltr"><div dir=3D"ltr"><div d=
ir=3D"ltr"><div><font color=3D"#3333FF"><b><span style=3D"color:rgb(0,0,0);=
font-family:arial,sans-serif;font-size:13px;border-collapse:collapse">Thank=
s &amp; Regards</span></b></font></div><div><font color=3D"#3333FF"><b><spa=
n style=3D"color:rgb(0,0,0);font-family:arial,sans-serif;font-size:13px;bor=
der-collapse:collapse">Akshay Joshi</span></b></font></div><div><font color=
=3D"#3333FF"><b><span style=3D"color:rgb(0,0,0);font-family:arial,sans-seri=
f;font-size:13px;border-collapse:collapse">pgAdmin Hacker | Principal Softw=
are Architect</span></b></font></div><font color=3D"#000000" face=3D"arial,=
 sans-serif"><b><a href=3D"http://edbpostgres.com" target=3D"_blank">EDB Po=
stgres</a></b></font><br><div><b style=3D"color:rgb(51,51,255)"><span style=
=3D"color:rgb(0,0,0);font-family:arial,sans-serif;font-size:13px;border-col=
lapse:collapse">Mobile: +91 976-788-8246<br></span></b><br></div></div></di=
v></div></div></div></div></div>
</blockquote></div><br clear=3D"all"><div><br></div>-- <br><div dir=3D"ltr"=
 class=3D"gmail_signature"><div dir=3D"ltr"><div><div dir=3D"ltr"><div dir=
=3D"ltr"><div style=3D"color:rgb(0,0,0);font-family:Helvetica;font-size:12p=
x"><b style=3D"color:rgb(96,96,97)">Rahul Shirsat</b><br></div><div style=
=3D"color:rgb(0,0,0);font-family:Helvetica;font-size:12px"><font color=3D"#=
5f5e5f">Software Engineer=C2=A0|=C2=A0EnterpriseDB=C2=A0Corporation.</font>=
</div></div></div></div></div></div>

--000000000000c1c8c705b4fdfa6c--