public inbox for [email protected]
help / color / mirror / Atom feedSameSite issues in Safari Browser (reference #RM5975)
13+ messages / 4 participants
[nested] [flat]
* SameSite issues in Safari Browser (reference #RM5975)
@ 2020-11-25 10:37 Rahul Shirsat <[email protected]>
2020-11-26 05:57 ` Re: SameSite issues in Safari Browser (reference #RM5975) Akshay Joshi <[email protected]>
2020-11-26 13:27 ` Re: SameSite issues in Safari Browser (reference #RM5975) Dave Page <[email protected]>
0 siblings, 2 replies; 13+ messages in thread
From: Rahul Shirsat @ 2020-11-25 10:37 UTC (permalink / raw)
To: pgadmin-hackers
Hi Dave,
Due to SameSite security issues in Safari Browser, some of the pgadmin4
functionality isn't working (mostly the new tab functionality).
The affected Safari Browser versions (marked in red) currently tested upon
are:
1. v11.1.2
2. v12.1
3. v12.1.1
4. 13.1
5. 14.0.1
Since v12, Safari have done some security fixes, due to which this issue
has occurred. Strangely, the issue is not reproducible on v13, but
reproducible on its successor i.e. v14
Possible solutions could be:
1. Reporting this to Safari & raising an RM for tracking purposes.
2. Suggesting Safari users to make below changes in config.py or
config_distro for the work around:
*SESSION_COOKIE_SAMESITE = None*
*SESSION_COOKIE_SECURE = True*
(As we aren't going through any cross-site cookie transfer, this can be a
handy option - but still risky..)
I would suggest going with the 1st option or combination of both, but with
caution.
--
*Rahul Shirsat*
Software Engineer | EnterpriseDB Corporation.
^ permalink raw reply [nested|flat] 13+ messages in thread
* Re: SameSite issues in Safari Browser (reference #RM5975)
2020-11-25 10:37 SameSite issues in Safari Browser (reference #RM5975) Rahul Shirsat <[email protected]>
@ 2020-11-26 05:57 ` Akshay Joshi <[email protected]>
2020-11-26 08:02 ` Re: SameSite issues in Safari Browser (reference #RM5975) Rahul Shirsat <[email protected]>
1 sibling, 1 reply; 13+ messages in thread
From: Akshay Joshi @ 2020-11-26 05:57 UTC (permalink / raw)
To: Rahul Shirsat <[email protected]>; +Cc: pgadmin-hackers
Hi Rahul
On Wed, Nov 25, 2020 at 4:07 PM Rahul Shirsat <
[email protected]> wrote:
> Hi Dave,
>
> Due to SameSite security issues in Safari Browser, some of the pgadmin4
> functionality isn't working (mostly the new tab functionality).
>
> The affected Safari Browser versions (marked in red) currently tested upon
> are:
>
> 1. v11.1.2
> 2. v12.1
> 3. v12.1.1
> 4. 13.1
> 5. 14.0.1
>
> Since v12, Safari have done some security fixes, due to which this issue
> has occurred. Strangely, the issue is not reproducible on v13, but
> reproducible on its successor i.e. v14
>
> Possible solutions could be:
>
> 1. Reporting this to Safari & raising an RM for tracking purposes.
> 2. Suggesting Safari users to make below changes in config.py or
> config_distro for the work around:
>
> *SESSION_COOKIE_SAMESITE = None*
>
> *SESSION_COOKIE_SECURE = True*
> (As we aren't going through any cross-site cookie transfer, this can be a
> handy option - but still risky..)
>
> I would suggest going with the 1st option or combination of both, but with
> caution.
>
In my opinion, we should go with both the options, as we have added the
above settings for security purposes.
>
> --
> *Rahul Shirsat*
> Software Engineer | EnterpriseDB Corporation.
>
--
*Thanks & Regards*
*Akshay Joshi*
*pgAdmin Hacker | Principal Software Architect*
*EDB Postgres <http://edbpostgres.com>*
*Mobile: +91 976-788-8246*
^ permalink raw reply [nested|flat] 13+ messages in thread
* Re: SameSite issues in Safari Browser (reference #RM5975)
2020-11-25 10:37 SameSite issues in Safari Browser (reference #RM5975) Rahul Shirsat <[email protected]>
2020-11-26 05:57 ` Re: SameSite issues in Safari Browser (reference #RM5975) Akshay Joshi <[email protected]>
@ 2020-11-26 08:02 ` Rahul Shirsat <[email protected]>
2020-11-26 08:50 ` Re: SameSite issues in Safari Browser (reference #RM5975) Ashesh Vashi <[email protected]>
0 siblings, 1 reply; 13+ messages in thread
From: Rahul Shirsat @ 2020-11-26 08:02 UTC (permalink / raw)
To: Akshay Joshi <[email protected]>; +Cc: pgadmin-hackers
Yes Akshay.
I think we should go ahead adding this approach in the pgadmin faqs, we
would not be fixing this in our code as we don't know when Apple would fix
its issue.
On Thu, Nov 26, 2020 at 11:27 AM Akshay Joshi <[email protected]>
wrote:
> Hi Rahul
>
> On Wed, Nov 25, 2020 at 4:07 PM Rahul Shirsat <
> [email protected]> wrote:
>
>> Hi Dave,
>>
>> Due to SameSite security issues in Safari Browser, some of the pgadmin4
>> functionality isn't working (mostly the new tab functionality).
>>
>> The affected Safari Browser versions (marked in red) currently tested
>> upon are:
>>
>> 1. v11.1.2
>> 2. v12.1
>> 3. v12.1.1
>> 4. 13.1
>> 5. 14.0.1
>>
>> Since v12, Safari have done some security fixes, due to which this issue
>> has occurred. Strangely, the issue is not reproducible on v13, but
>> reproducible on its successor i.e. v14
>>
>> Possible solutions could be:
>>
>> 1. Reporting this to Safari & raising an RM for tracking purposes.
>> 2. Suggesting Safari users to make below changes in config.py or
>> config_distro for the work around:
>>
>> *SESSION_COOKIE_SAMESITE = None*
>>
>> *SESSION_COOKIE_SECURE = True*
>> (As we aren't going through any cross-site cookie transfer, this can be a
>> handy option - but still risky..)
>>
>> I would suggest going with the 1st option or combination of both, but
>> with caution.
>>
>
> In my opinion, we should go with both the options, as we have added the
> above settings for security purposes.
>
>>
>> --
>> *Rahul Shirsat*
>> Software Engineer | EnterpriseDB Corporation.
>>
>
>
> --
> *Thanks & Regards*
> *Akshay Joshi*
> *pgAdmin Hacker | Principal Software Architect*
> *EDB Postgres <http://edbpostgres.com>*
>
> *Mobile: +91 976-788-8246*
>
--
*Rahul Shirsat*
Software Engineer | EnterpriseDB Corporation.
^ permalink raw reply [nested|flat] 13+ messages in thread
* Re: SameSite issues in Safari Browser (reference #RM5975)
2020-11-25 10:37 SameSite issues in Safari Browser (reference #RM5975) Rahul Shirsat <[email protected]>
2020-11-26 05:57 ` Re: SameSite issues in Safari Browser (reference #RM5975) Akshay Joshi <[email protected]>
2020-11-26 08:02 ` Re: SameSite issues in Safari Browser (reference #RM5975) Rahul Shirsat <[email protected]>
@ 2020-11-26 08:50 ` Ashesh Vashi <[email protected]>
0 siblings, 0 replies; 13+ messages in thread
From: Ashesh Vashi @ 2020-11-26 08:50 UTC (permalink / raw)
To: Rahul Shirsat <[email protected]>; +Cc: Akshay Joshi <[email protected]>; pgadmin-hackers
On Thu, Nov 26, 2020 at 1:33 PM Rahul Shirsat <
[email protected]> wrote:
> Yes Akshay.
>
> I think we should go ahead adding this approach in the pgadmin faqs, we
> would not be fixing this in our code as we don't know when Apple would fix
> its issue.
>
Or, add these configs in the config_distro.py for Mac packages.
-- Ashesh
>
> On Thu, Nov 26, 2020 at 11:27 AM Akshay Joshi <
> [email protected]> wrote:
>
>> Hi Rahul
>>
>> On Wed, Nov 25, 2020 at 4:07 PM Rahul Shirsat <
>> [email protected]> wrote:
>>
>>> Hi Dave,
>>>
>>> Due to SameSite security issues in Safari Browser, some of the pgadmin4
>>> functionality isn't working (mostly the new tab functionality).
>>>
>>> The affected Safari Browser versions (marked in red) currently tested
>>> upon are:
>>>
>>> 1. v11.1.2
>>> 2. v12.1
>>> 3. v12.1.1
>>> 4. 13.1
>>> 5. 14.0.1
>>>
>>> Since v12, Safari have done some security fixes, due to which this issue
>>> has occurred. Strangely, the issue is not reproducible on v13, but
>>> reproducible on its successor i.e. v14
>>>
>>> Possible solutions could be:
>>>
>>> 1. Reporting this to Safari & raising an RM for tracking purposes.
>>> 2. Suggesting Safari users to make below changes in config.py or
>>> config_distro for the work around:
>>>
>>> *SESSION_COOKIE_SAMESITE = None*
>>>
>>> *SESSION_COOKIE_SECURE = True*
>>> (As we aren't going through any cross-site cookie transfer, this can be
>>> a handy option - but still risky..)
>>>
>>> I would suggest going with the 1st option or combination of both, but
>>> with caution.
>>>
>>
>> In my opinion, we should go with both the options, as we have added
>> the above settings for security purposes.
>>
>>>
>>> --
>>> *Rahul Shirsat*
>>> Software Engineer | EnterpriseDB Corporation.
>>>
>>
>>
>> --
>> *Thanks & Regards*
>> *Akshay Joshi*
>> *pgAdmin Hacker | Principal Software Architect*
>> *EDB Postgres <http://edbpostgres.com>*
>>
>> *Mobile: +91 976-788-8246*
>>
>
>
> --
> *Rahul Shirsat*
> Software Engineer | EnterpriseDB Corporation.
>
^ permalink raw reply [nested|flat] 13+ messages in thread
* Re: SameSite issues in Safari Browser (reference #RM5975)
2020-11-25 10:37 SameSite issues in Safari Browser (reference #RM5975) Rahul Shirsat <[email protected]>
@ 2020-11-26 13:27 ` Dave Page <[email protected]>
2020-11-30 07:11 ` Re: SameSite issues in Safari Browser (reference #RM5975) Rahul Shirsat <[email protected]>
1 sibling, 1 reply; 13+ messages in thread
From: Dave Page @ 2020-11-26 13:27 UTC (permalink / raw)
To: Rahul Shirsat <[email protected]>; +Cc: pgadmin-hackers
Hi
On Wed, Nov 25, 2020 at 10:37 AM Rahul Shirsat <
[email protected]> wrote:
> Hi Dave,
>
> Due to SameSite security issues in Safari Browser, some of the pgadmin4
> functionality isn't working (mostly the new tab functionality).
>
> The affected Safari Browser versions (marked in red) currently tested upon
> are:
>
> 1. v11.1.2
> 2. v12.1
> 3. v12.1.1
> 4. 13.1
> 5. 14.0.1
>
> Since v12, Safari have done some security fixes, due to which this issue
> has occurred. Strangely, the issue is not reproducible on v13, but
> reproducible on its successor i.e. v14
>
> Possible solutions could be:
>
> 1. Reporting this to Safari & raising an RM for tracking purposes.
> 2. Suggesting Safari users to make below changes in config.py or
> config_distro for the work around:
>
> *SESSION_COOKIE_SAMESITE = None*
>
> *SESSION_COOKIE_SECURE = True*
> (As we aren't going through any cross-site cookie transfer, this can be a
> handy option - but still risky..)
>
> I would suggest going with the 1st option or combination of both, but with
> caution.
>
Others must have come across this issue already. Is it a known bug,
documented somewhere (ideally on apple.com)?
--
Dave Page
Blog: http://pgsnake.blogspot.com
Twitter: @pgsnake
EDB: http://www.enterprisedb.com
^ permalink raw reply [nested|flat] 13+ messages in thread
* Re: SameSite issues in Safari Browser (reference #RM5975)
2020-11-25 10:37 SameSite issues in Safari Browser (reference #RM5975) Rahul Shirsat <[email protected]>
2020-11-26 13:27 ` Re: SameSite issues in Safari Browser (reference #RM5975) Dave Page <[email protected]>
@ 2020-11-30 07:11 ` Rahul Shirsat <[email protected]>
2020-11-30 11:42 ` Re: SameSite issues in Safari Browser (reference #RM5975) Dave Page <[email protected]>
0 siblings, 1 reply; 13+ messages in thread
From: Rahul Shirsat @ 2020-11-30 07:11 UTC (permalink / raw)
To: Dave Page <[email protected]>; +Cc: pgadmin-hackers
Dave,
There are issues discussed on Apple forums, check this out:
https://developer.apple.com/forums/thread/129064 - The latest comment by
the user here is one month ago, meaning the issue is still not fixed yet.
https://developer.apple.com/forums/thread/658688 - Users facing this issue
in v13.x
Even webkit has confirmed about this issue :
https://bugs.webkit.org/show_bug.cgi?id=198181 - Users facing this issue in
v12.x
On Thu, Nov 26, 2020 at 6:57 PM Dave Page <[email protected]> wrote:
> Hi
>
> On Wed, Nov 25, 2020 at 10:37 AM Rahul Shirsat <
> [email protected]> wrote:
>
>> Hi Dave,
>>
>> Due to SameSite security issues in Safari Browser, some of the pgadmin4
>> functionality isn't working (mostly the new tab functionality).
>>
>> The affected Safari Browser versions (marked in red) currently tested
>> upon are:
>>
>> 1. v11.1.2
>> 2. v12.1
>> 3. v12.1.1
>> 4. 13.1
>> 5. 14.0.1
>>
>> Since v12, Safari have done some security fixes, due to which this issue
>> has occurred. Strangely, the issue is not reproducible on v13, but
>> reproducible on its successor i.e. v14
>>
>> Possible solutions could be:
>>
>> 1. Reporting this to Safari & raising an RM for tracking purposes.
>> 2. Suggesting Safari users to make below changes in config.py or
>> config_distro for the work around:
>>
>> *SESSION_COOKIE_SAMESITE = None*
>>
>> *SESSION_COOKIE_SECURE = True*
>> (As we aren't going through any cross-site cookie transfer, this can be a
>> handy option - but still risky..)
>>
>> I would suggest going with the 1st option or combination of both, but
>> with caution.
>>
>
> Others must have come across this issue already. Is it a known bug,
> documented somewhere (ideally on apple.com)?
>
> --
> Dave Page
> Blog: http://pgsnake.blogspot.com
> Twitter: @pgsnake
>
> EDB: http://www.enterprisedb.com
>
>
--
*Rahul Shirsat*
Software Engineer | EnterpriseDB Corporation.
^ permalink raw reply [nested|flat] 13+ messages in thread
* Re: SameSite issues in Safari Browser (reference #RM5975)
2020-11-25 10:37 SameSite issues in Safari Browser (reference #RM5975) Rahul Shirsat <[email protected]>
2020-11-26 13:27 ` Re: SameSite issues in Safari Browser (reference #RM5975) Dave Page <[email protected]>
2020-11-30 07:11 ` Re: SameSite issues in Safari Browser (reference #RM5975) Rahul Shirsat <[email protected]>
@ 2020-11-30 11:42 ` Dave Page <[email protected]>
2020-11-30 14:00 ` Re: SameSite issues in Safari Browser (reference #RM5975) Rahul Shirsat <[email protected]>
0 siblings, 1 reply; 13+ messages in thread
From: Dave Page @ 2020-11-30 11:42 UTC (permalink / raw)
To: Rahul Shirsat <[email protected]>; +Cc: pgadmin-hackers
Hi
On Mon, Nov 30, 2020 at 7:12 AM Rahul Shirsat <
[email protected]> wrote:
> Dave,
>
> There are issues discussed on Apple forums, check this out:
>
> https://developer.apple.com/forums/thread/129064 - The latest comment by
> the user here is one month ago, meaning the issue is still not fixed yet.
> https://developer.apple.com/forums/thread/658688 - Users facing this
> issue in v13.x
>
> Even webkit has confirmed about this issue :
> https://bugs.webkit.org/show_bug.cgi?id=198181 - Users facing this issue
> in v12.x
>
In that case, I think the answer (for now at least) is an FAQ, referencing
those issues and explaining how to resolve the issue using config_system.py
or by using a different browser.
Have we actually seen this issue in wild?
>
> On Thu, Nov 26, 2020 at 6:57 PM Dave Page <[email protected]> wrote:
>
>> Hi
>>
>> On Wed, Nov 25, 2020 at 10:37 AM Rahul Shirsat <
>> [email protected]> wrote:
>>
>>> Hi Dave,
>>>
>>> Due to SameSite security issues in Safari Browser, some of the pgadmin4
>>> functionality isn't working (mostly the new tab functionality).
>>>
>>> The affected Safari Browser versions (marked in red) currently tested
>>> upon are:
>>>
>>> 1. v11.1.2
>>> 2. v12.1
>>> 3. v12.1.1
>>> 4. 13.1
>>> 5. 14.0.1
>>>
>>> Since v12, Safari have done some security fixes, due to which this issue
>>> has occurred. Strangely, the issue is not reproducible on v13, but
>>> reproducible on its successor i.e. v14
>>>
>>> Possible solutions could be:
>>>
>>> 1. Reporting this to Safari & raising an RM for tracking purposes.
>>> 2. Suggesting Safari users to make below changes in config.py or
>>> config_distro for the work around:
>>>
>>> *SESSION_COOKIE_SAMESITE = None*
>>>
>>> *SESSION_COOKIE_SECURE = True*
>>> (As we aren't going through any cross-site cookie transfer, this can be
>>> a handy option - but still risky..)
>>>
>>> I would suggest going with the 1st option or combination of both, but
>>> with caution.
>>>
>>
>> Others must have come across this issue already. Is it a known bug,
>> documented somewhere (ideally on apple.com)?
>>
>> --
>> Dave Page
>> Blog: http://pgsnake.blogspot.com
>> Twitter: @pgsnake
>>
>> EDB: http://www.enterprisedb.com
>>
>>
>
> --
> *Rahul Shirsat*
> Software Engineer | EnterpriseDB Corporation.
>
--
Dave Page
Blog: http://pgsnake.blogspot.com
Twitter: @pgsnake
EDB: http://www.enterprisedb.com
^ permalink raw reply [nested|flat] 13+ messages in thread
* Re: SameSite issues in Safari Browser (reference #RM5975)
2020-11-25 10:37 SameSite issues in Safari Browser (reference #RM5975) Rahul Shirsat <[email protected]>
2020-11-26 13:27 ` Re: SameSite issues in Safari Browser (reference #RM5975) Dave Page <[email protected]>
2020-11-30 07:11 ` Re: SameSite issues in Safari Browser (reference #RM5975) Rahul Shirsat <[email protected]>
2020-11-30 11:42 ` Re: SameSite issues in Safari Browser (reference #RM5975) Dave Page <[email protected]>
@ 2020-11-30 14:00 ` Rahul Shirsat <[email protected]>
2020-12-01 17:50 ` Re: SameSite issues in Safari Browser (reference #RM5975) Rahul Shirsat <[email protected]>
0 siblings, 1 reply; 13+ messages in thread
From: Rahul Shirsat @ 2020-11-30 14:00 UTC (permalink / raw)
To: Dave Page <[email protected]>; +Cc: pgadmin-hackers
This was the part of our internal quality testing, where it got
encountered. Currently, none of the users have complained about this on
their specific browser versions.
On Mon, Nov 30, 2020 at 5:12 PM Dave Page <[email protected]> wrote:
> Hi
>
> On Mon, Nov 30, 2020 at 7:12 AM Rahul Shirsat <
> [email protected]> wrote:
>
>> Dave,
>>
>> There are issues discussed on Apple forums, check this out:
>>
>> https://developer.apple.com/forums/thread/129064 - The latest comment by
>> the user here is one month ago, meaning the issue is still not fixed yet.
>> https://developer.apple.com/forums/thread/658688 - Users facing this
>> issue in v13.x
>>
>> Even webkit has confirmed about this issue :
>> https://bugs.webkit.org/show_bug.cgi?id=198181 - Users facing this issue
>> in v12.x
>>
>
> In that case, I think the answer (for now at least) is an FAQ, referencing
> those issues and explaining how to resolve the issue using config_system.py
> or by using a different browser.
>
> Have we actually seen this issue in wild?
>
>
>
>>
>> On Thu, Nov 26, 2020 at 6:57 PM Dave Page <[email protected]> wrote:
>>
>>> Hi
>>>
>>> On Wed, Nov 25, 2020 at 10:37 AM Rahul Shirsat <
>>> [email protected]> wrote:
>>>
>>>> Hi Dave,
>>>>
>>>> Due to SameSite security issues in Safari Browser, some of the pgadmin4
>>>> functionality isn't working (mostly the new tab functionality).
>>>>
>>>> The affected Safari Browser versions (marked in red) currently tested
>>>> upon are:
>>>>
>>>> 1. v11.1.2
>>>> 2. v12.1
>>>> 3. v12.1.1
>>>> 4. 13.1
>>>> 5. 14.0.1
>>>>
>>>> Since v12, Safari have done some security fixes, due to which this
>>>> issue has occurred. Strangely, the issue is not reproducible on v13, but
>>>> reproducible on its successor i.e. v14
>>>>
>>>> Possible solutions could be:
>>>>
>>>> 1. Reporting this to Safari & raising an RM for tracking purposes.
>>>> 2. Suggesting Safari users to make below changes in config.py or
>>>> config_distro for the work around:
>>>>
>>>> *SESSION_COOKIE_SAMESITE = None*
>>>>
>>>> *SESSION_COOKIE_SECURE = True*
>>>> (As we aren't going through any cross-site cookie transfer, this can be
>>>> a handy option - but still risky..)
>>>>
>>>> I would suggest going with the 1st option or combination of both, but
>>>> with caution.
>>>>
>>>
>>> Others must have come across this issue already. Is it a known bug,
>>> documented somewhere (ideally on apple.com)?
>>>
>>> --
>>> Dave Page
>>> Blog: http://pgsnake.blogspot.com
>>> Twitter: @pgsnake
>>>
>>> EDB: http://www.enterprisedb.com
>>>
>>>
>>
>> --
>> *Rahul Shirsat*
>> Software Engineer | EnterpriseDB Corporation.
>>
>
>
> --
> Dave Page
> Blog: http://pgsnake.blogspot.com
> Twitter: @pgsnake
>
> EDB: http://www.enterprisedb.com
>
>
--
*Rahul Shirsat*
Software Engineer | EnterpriseDB Corporation.
^ permalink raw reply [nested|flat] 13+ messages in thread
* Re: SameSite issues in Safari Browser (reference #RM5975)
2020-11-25 10:37 SameSite issues in Safari Browser (reference #RM5975) Rahul Shirsat <[email protected]>
2020-11-26 13:27 ` Re: SameSite issues in Safari Browser (reference #RM5975) Dave Page <[email protected]>
2020-11-30 07:11 ` Re: SameSite issues in Safari Browser (reference #RM5975) Rahul Shirsat <[email protected]>
2020-11-30 11:42 ` Re: SameSite issues in Safari Browser (reference #RM5975) Dave Page <[email protected]>
2020-11-30 14:00 ` Re: SameSite issues in Safari Browser (reference #RM5975) Rahul Shirsat <[email protected]>
@ 2020-12-01 17:50 ` Rahul Shirsat <[email protected]>
2020-12-02 11:03 ` Re: SameSite issues in Safari Browser (reference #RM5975) Dave Page <[email protected]>
0 siblings, 1 reply; 13+ messages in thread
From: Rahul Shirsat @ 2020-12-01 17:50 UTC (permalink / raw)
To: Dave Page <[email protected]>; +Cc: pgadmin-hackers
Hi Dave,
Could you please add below FAQ point for SameSite Safari issue:
Question :
When I set new tab settings for query tool or schema-diff, I get
"Connection to server lost" or "CSRF tokens do not match" on Safari
versions >= 12
Answer:
<p>This has been seen mostly on Safari browser versions >= 12. It's
reported that from v12 of CFNetwork/Safari/Webkit erroneously handle
"Samesite=none" as the equivalent of "Samesite=strict". It means, Safari
recognizes the SameSite option starting with version 12, but their
implementation has a bug: It interprets invalid values as if
SameSite=Strict had been specified, and for it only Strict and Lax are
valid values, as the older specification did not yet specify None</p>
<p>To solve this issue, we need to override the SameSite security settings,
for this, create a file called config_system.py in the web/ directory of
the installation, alongside the existing config.py. This file can be used
to override any of the settings in config.py (which shouldn't be edited).
The config_system.py should have the below code:</p>
<pre>
import sys
# Targeting only macOS
if sys.platform.startswith('darwin'):
SESSION_COOKIE_SAMESITE = None
SESSION_COOKIE_SECURE = True
</pre>
Do suggest or add any points if I am missing them.
Also, let me know once this is done, So that I will close the ticket.
--
*Rahul Shirsat*
Senior Software Engineer | EnterpriseDB Corporation.
On Mon, Nov 30, 2020 at 7:30 PM Rahul Shirsat <
[email protected]> wrote:
> This was the part of our internal quality testing, where it got
> encountered. Currently, none of the users have complained about this on
> their specific browser versions.
>
> On Mon, Nov 30, 2020 at 5:12 PM Dave Page <[email protected]> wrote:
>
>> Hi
>>
>> On Mon, Nov 30, 2020 at 7:12 AM Rahul Shirsat <
>> [email protected]> wrote:
>>
>>> Dave,
>>>
>>> There are issues discussed on Apple forums, check this out:
>>>
>>> https://developer.apple.com/forums/thread/129064 - The latest comment
>>> by the user here is one month ago, meaning the issue is still not fixed yet.
>>> https://developer.apple.com/forums/thread/658688 - Users facing this
>>> issue in v13.x
>>>
>>> Even webkit has confirmed about this issue :
>>> https://bugs.webkit.org/show_bug.cgi?id=198181 - Users facing this
>>> issue in v12.x
>>>
>>
>> In that case, I think the answer (for now at least) is an FAQ,
>> referencing those issues and explaining how to resolve the issue using
>> config_system.py or by using a different browser.
>>
>> Have we actually seen this issue in wild?
>>
>>
>>
>>>
>>> On Thu, Nov 26, 2020 at 6:57 PM Dave Page <[email protected]> wrote:
>>>
>>>> Hi
>>>>
>>>> On Wed, Nov 25, 2020 at 10:37 AM Rahul Shirsat <
>>>> [email protected]> wrote:
>>>>
>>>>> Hi Dave,
>>>>>
>>>>> Due to SameSite security issues in Safari Browser, some of the
>>>>> pgadmin4 functionality isn't working (mostly the new tab functionality).
>>>>>
>>>>> The affected Safari Browser versions (marked in red) currently tested
>>>>> upon are:
>>>>>
>>>>> 1. v11.1.2
>>>>> 2. v12.1
>>>>> 3. v12.1.1
>>>>> 4. 13.1
>>>>> 5. 14.0.1
>>>>>
>>>>> Since v12, Safari have done some security fixes, due to which this
>>>>> issue has occurred. Strangely, the issue is not reproducible on v13, but
>>>>> reproducible on its successor i.e. v14
>>>>>
>>>>> Possible solutions could be:
>>>>>
>>>>> 1. Reporting this to Safari & raising an RM for tracking purposes.
>>>>> 2. Suggesting Safari users to make below changes in config.py or
>>>>> config_distro for the work around:
>>>>>
>>>>> *SESSION_COOKIE_SAMESITE = None*
>>>>>
>>>>> *SESSION_COOKIE_SECURE = True*
>>>>> (As we aren't going through any cross-site cookie transfer, this can
>>>>> be a handy option - but still risky..)
>>>>>
>>>>> I would suggest going with the 1st option or combination of both, but
>>>>> with caution.
>>>>>
>>>>
>>>> Others must have come across this issue already. Is it a known bug,
>>>> documented somewhere (ideally on apple.com)?
>>>>
>>>> --
>>>> Dave Page
>>>> Blog: http://pgsnake.blogspot.com
>>>> Twitter: @pgsnake
>>>>
>>>> EDB: http://www.enterprisedb.com
>>>>
>>>>
>>>
>>> --
>>> *Rahul Shirsat*
>>> Software Engineer | EnterpriseDB Corporation.
>>>
>>
>>
>> --
>> Dave Page
>> Blog: http://pgsnake.blogspot.com
>> Twitter: @pgsnake
>>
>> EDB: http://www.enterprisedb.com
>>
>>
>
> --
> *Rahul Shirsat*
> Software Engineer | EnterpriseDB Corporation.
>
--
*Rahul Shirsat*
Software Engineer | EnterpriseDB Corporation.
^ permalink raw reply [nested|flat] 13+ messages in thread
* Re: SameSite issues in Safari Browser (reference #RM5975)
2020-11-25 10:37 SameSite issues in Safari Browser (reference #RM5975) Rahul Shirsat <[email protected]>
2020-11-26 13:27 ` Re: SameSite issues in Safari Browser (reference #RM5975) Dave Page <[email protected]>
2020-11-30 07:11 ` Re: SameSite issues in Safari Browser (reference #RM5975) Rahul Shirsat <[email protected]>
2020-11-30 11:42 ` Re: SameSite issues in Safari Browser (reference #RM5975) Dave Page <[email protected]>
2020-11-30 14:00 ` Re: SameSite issues in Safari Browser (reference #RM5975) Rahul Shirsat <[email protected]>
2020-12-01 17:50 ` Re: SameSite issues in Safari Browser (reference #RM5975) Rahul Shirsat <[email protected]>
@ 2020-12-02 11:03 ` Dave Page <[email protected]>
2020-12-03 08:54 ` Re: SameSite issues in Safari Browser (reference #RM5975) Rahul Shirsat <[email protected]>
0 siblings, 1 reply; 13+ messages in thread
From: Dave Page @ 2020-12-02 11:03 UTC (permalink / raw)
To: Rahul Shirsat <[email protected]>; +Cc: pgadmin-hackers
Hi
On Tue, Dec 1, 2020 at 5:51 PM Rahul Shirsat <[email protected]>
wrote:
> Hi Dave,
>
> Could you please add below FAQ point for SameSite Safari issue:
>
> Question :
> When I set new tab settings for query tool or schema-diff, I get
> "Connection to server lost" or "CSRF tokens do not match" on Safari
> versions >= 12
>
> Answer:
> <p>This has been seen mostly on Safari browser versions >= 12. It's
> reported that from v12 of CFNetwork/Safari/Webkit erroneously handle
> "Samesite=none" as the equivalent of "Samesite=strict". It means, Safari
> recognizes the SameSite option starting with version 12, but their
> implementation has a bug: It interprets invalid values as if
> SameSite=Strict had been specified, and for it only Strict and Lax are
> valid values, as the older specification did not yet specify None</p>
>
> <p>To solve this issue, we need to override the SameSite security
> settings, for this, create a file called config_system.py in the web/
> directory of the installation, alongside the existing config.py. This file
> can be used to override any of the settings in config.py (which shouldn't
> be edited). The config_system.py should have the below code:</p>
>
We could certainly add something like that, though, config_system.py
doesn't go alongside config.py so that part of the text needs fixing.
>
> <pre>
> import sys
>
> # Targeting only macOS
> if sys.platform.startswith('darwin'):
> SESSION_COOKIE_SAMESITE = None
> SESSION_COOKIE_SECURE = True
> </pre>
>
> Do suggest or add any points if I am missing them.
>
And that is not going to work in Server mode, only Desktop.
>
> Also, let me know once this is done, So that I will close the ticket.
>
> --
> *Rahul Shirsat*
> Senior Software Engineer | EnterpriseDB Corporation.
>
> On Mon, Nov 30, 2020 at 7:30 PM Rahul Shirsat <
> [email protected]> wrote:
>
>> This was the part of our internal quality testing, where it got
>> encountered. Currently, none of the users have complained about this on
>> their specific browser versions.
>>
>> On Mon, Nov 30, 2020 at 5:12 PM Dave Page <[email protected]> wrote:
>>
>>> Hi
>>>
>>> On Mon, Nov 30, 2020 at 7:12 AM Rahul Shirsat <
>>> [email protected]> wrote:
>>>
>>>> Dave,
>>>>
>>>> There are issues discussed on Apple forums, check this out:
>>>>
>>>> https://developer.apple.com/forums/thread/129064 - The latest comment
>>>> by the user here is one month ago, meaning the issue is still not fixed yet.
>>>> https://developer.apple.com/forums/thread/658688 - Users facing this
>>>> issue in v13.x
>>>>
>>>> Even webkit has confirmed about this issue :
>>>> https://bugs.webkit.org/show_bug.cgi?id=198181 - Users facing this
>>>> issue in v12.x
>>>>
>>>
>>> In that case, I think the answer (for now at least) is an FAQ,
>>> referencing those issues and explaining how to resolve the issue using
>>> config_system.py or by using a different browser.
>>>
>>> Have we actually seen this issue in wild?
>>>
>>>
>>>
>>>>
>>>> On Thu, Nov 26, 2020 at 6:57 PM Dave Page <[email protected]> wrote:
>>>>
>>>>> Hi
>>>>>
>>>>> On Wed, Nov 25, 2020 at 10:37 AM Rahul Shirsat <
>>>>> [email protected]> wrote:
>>>>>
>>>>>> Hi Dave,
>>>>>>
>>>>>> Due to SameSite security issues in Safari Browser, some of the
>>>>>> pgadmin4 functionality isn't working (mostly the new tab functionality).
>>>>>>
>>>>>> The affected Safari Browser versions (marked in red) currently tested
>>>>>> upon are:
>>>>>>
>>>>>> 1. v11.1.2
>>>>>> 2. v12.1
>>>>>> 3. v12.1.1
>>>>>> 4. 13.1
>>>>>> 5. 14.0.1
>>>>>>
>>>>>> Since v12, Safari have done some security fixes, due to which this
>>>>>> issue has occurred. Strangely, the issue is not reproducible on v13, but
>>>>>> reproducible on its successor i.e. v14
>>>>>>
>>>>>> Possible solutions could be:
>>>>>>
>>>>>> 1. Reporting this to Safari & raising an RM for tracking purposes.
>>>>>> 2. Suggesting Safari users to make below changes in config.py or
>>>>>> config_distro for the work around:
>>>>>>
>>>>>> *SESSION_COOKIE_SAMESITE = None*
>>>>>>
>>>>>> *SESSION_COOKIE_SECURE = True*
>>>>>> (As we aren't going through any cross-site cookie transfer, this can
>>>>>> be a handy option - but still risky..)
>>>>>>
>>>>>> I would suggest going with the 1st option or combination of both, but
>>>>>> with caution.
>>>>>>
>>>>>
>>>>> Others must have come across this issue already. Is it a known bug,
>>>>> documented somewhere (ideally on apple.com)?
>>>>>
>>>>> --
>>>>> Dave Page
>>>>> Blog: http://pgsnake.blogspot.com
>>>>> Twitter: @pgsnake
>>>>>
>>>>> EDB: http://www.enterprisedb.com
>>>>>
>>>>>
>>>>
>>>> --
>>>> *Rahul Shirsat*
>>>> Software Engineer | EnterpriseDB Corporation.
>>>>
>>>
>>>
>>> --
>>> Dave Page
>>> Blog: http://pgsnake.blogspot.com
>>> Twitter: @pgsnake
>>>
>>> EDB: http://www.enterprisedb.com
>>>
>>>
>>
>> --
>> *Rahul Shirsat*
>> Software Engineer | EnterpriseDB Corporation.
>>
>
>
> --
> *Rahul Shirsat*
> Software Engineer | EnterpriseDB Corporation.
>
--
Dave Page
Blog: http://pgsnake.blogspot.com
Twitter: @pgsnake
EDB: http://www.enterprisedb.com
^ permalink raw reply [nested|flat] 13+ messages in thread
* Re: SameSite issues in Safari Browser (reference #RM5975)
2020-11-25 10:37 SameSite issues in Safari Browser (reference #RM5975) Rahul Shirsat <[email protected]>
2020-11-26 13:27 ` Re: SameSite issues in Safari Browser (reference #RM5975) Dave Page <[email protected]>
2020-11-30 07:11 ` Re: SameSite issues in Safari Browser (reference #RM5975) Rahul Shirsat <[email protected]>
2020-11-30 11:42 ` Re: SameSite issues in Safari Browser (reference #RM5975) Dave Page <[email protected]>
2020-11-30 14:00 ` Re: SameSite issues in Safari Browser (reference #RM5975) Rahul Shirsat <[email protected]>
2020-12-01 17:50 ` Re: SameSite issues in Safari Browser (reference #RM5975) Rahul Shirsat <[email protected]>
2020-12-02 11:03 ` Re: SameSite issues in Safari Browser (reference #RM5975) Dave Page <[email protected]>
@ 2020-12-03 08:54 ` Rahul Shirsat <[email protected]>
2020-12-03 09:32 ` Re: SameSite issues in Safari Browser (reference #RM5975) Dave Page <[email protected]>
0 siblings, 1 reply; 13+ messages in thread
From: Rahul Shirsat @ 2020-12-03 08:54 UTC (permalink / raw)
To: Dave Page <[email protected]>; +Cc: pgadmin-hackers
Dave,
Please find below corrected faq details.
Category : Troubleshooting
Question :
When I set new tab settings for query tool or schema-diff, I get
"Connection to server lost" or "CSRF tokens do not match" on Safari
versions >= 12
Answer:
<p>This has been seen mostly on Safari browser versions >= 12. It's
reported that from v12 of CFNetwork/Safari/Webkit erroneously handle
"Samesite=none" as the equivalent of "Samesite=strict". It means, Safari
recognizes the SameSite option starting with version 12, but their
implementation has a bug: It interprets invalid values as if
SameSite=Strict had been specified, and for it only Strict and Lax are
valid values, as the older specification did not yet specify None</p>
<p>To solve this issue, we need to override the SameSite security settings,
for this, create a file called config_system.py (for location to create the
file, refer <a href="
https://www.pgadmin.org/docs/pgadmin4/development/config_py.html">The
config.py file</a>). This file can be used to override any of the settings
in config.py (which shouldn't be edited). The config_system.py should have
the below code:</p>
<pre>
SESSION_COOKIE_SAMESITE = None
SESSION_COOKIE_SECURE = True
</pre>
<p><i>Note that these changes are not recommended, and we highly recommend
users to use a different browser until the issue gets resolved from
Apple.</i>
Removed the OS specific condition to make it generic for all distributions.
Added a warning note at the last of the faq.
On Wed, Dec 2, 2020 at 4:33 PM Dave Page <[email protected]> wrote:
> Hi
>
> On Tue, Dec 1, 2020 at 5:51 PM Rahul Shirsat <
> [email protected]> wrote:
>
>> Hi Dave,
>>
>> Could you please add below FAQ point for SameSite Safari issue:
>>
>> Question :
>> When I set new tab settings for query tool or schema-diff, I get
>> "Connection to server lost" or "CSRF tokens do not match" on Safari
>> versions >= 12
>>
>> Answer:
>> <p>This has been seen mostly on Safari browser versions >= 12. It's
>> reported that from v12 of CFNetwork/Safari/Webkit erroneously handle
>> "Samesite=none" as the equivalent of "Samesite=strict". It means, Safari
>> recognizes the SameSite option starting with version 12, but their
>> implementation has a bug: It interprets invalid values as if
>> SameSite=Strict had been specified, and for it only Strict and Lax are
>> valid values, as the older specification did not yet specify None</p>
>>
>> <p>To solve this issue, we need to override the SameSite security
>> settings, for this, create a file called config_system.py in the web/
>> directory of the installation, alongside the existing config.py. This file
>> can be used to override any of the settings in config.py (which shouldn't
>> be edited). The config_system.py should have the below code:</p>
>>
>
> We could certainly add something like that, though, config_system.py
> doesn't go alongside config.py so that part of the text needs fixing.
>
>
>>
>> <pre>
>> import sys
>>
>> # Targeting only macOS
>> if sys.platform.startswith('darwin'):
>> SESSION_COOKIE_SAMESITE = None
>> SESSION_COOKIE_SECURE = True
>> </pre>
>>
>> Do suggest or add any points if I am missing them.
>>
>
> And that is not going to work in Server mode, only Desktop.
>
>
>
>>
>> Also, let me know once this is done, So that I will close the ticket.
>>
>> --
>> *Rahul Shirsat*
>> Senior Software Engineer | EnterpriseDB Corporation.
>>
>> On Mon, Nov 30, 2020 at 7:30 PM Rahul Shirsat <
>> [email protected]> wrote:
>>
>>> This was the part of our internal quality testing, where it got
>>> encountered. Currently, none of the users have complained about this on
>>> their specific browser versions.
>>>
>>> On Mon, Nov 30, 2020 at 5:12 PM Dave Page <[email protected]> wrote:
>>>
>>>> Hi
>>>>
>>>> On Mon, Nov 30, 2020 at 7:12 AM Rahul Shirsat <
>>>> [email protected]> wrote:
>>>>
>>>>> Dave,
>>>>>
>>>>> There are issues discussed on Apple forums, check this out:
>>>>>
>>>>> https://developer.apple.com/forums/thread/129064 - The latest comment
>>>>> by the user here is one month ago, meaning the issue is still not fixed yet.
>>>>> https://developer.apple.com/forums/thread/658688 - Users facing this
>>>>> issue in v13.x
>>>>>
>>>>> Even webkit has confirmed about this issue :
>>>>> https://bugs.webkit.org/show_bug.cgi?id=198181 - Users facing this
>>>>> issue in v12.x
>>>>>
>>>>
>>>> In that case, I think the answer (for now at least) is an FAQ,
>>>> referencing those issues and explaining how to resolve the issue using
>>>> config_system.py or by using a different browser.
>>>>
>>>> Have we actually seen this issue in wild?
>>>>
>>>>
>>>>
>>>>>
>>>>> On Thu, Nov 26, 2020 at 6:57 PM Dave Page <[email protected]> wrote:
>>>>>
>>>>>> Hi
>>>>>>
>>>>>> On Wed, Nov 25, 2020 at 10:37 AM Rahul Shirsat <
>>>>>> [email protected]> wrote:
>>>>>>
>>>>>>> Hi Dave,
>>>>>>>
>>>>>>> Due to SameSite security issues in Safari Browser, some of the
>>>>>>> pgadmin4 functionality isn't working (mostly the new tab functionality).
>>>>>>>
>>>>>>> The affected Safari Browser versions (marked in red) currently
>>>>>>> tested upon are:
>>>>>>>
>>>>>>> 1. v11.1.2
>>>>>>> 2. v12.1
>>>>>>> 3. v12.1.1
>>>>>>> 4. 13.1
>>>>>>> 5. 14.0.1
>>>>>>>
>>>>>>> Since v12, Safari have done some security fixes, due to which this
>>>>>>> issue has occurred. Strangely, the issue is not reproducible on v13, but
>>>>>>> reproducible on its successor i.e. v14
>>>>>>>
>>>>>>> Possible solutions could be:
>>>>>>>
>>>>>>> 1. Reporting this to Safari & raising an RM for tracking
>>>>>>> purposes.
>>>>>>> 2. Suggesting Safari users to make below changes in config.py or
>>>>>>> config_distro for the work around:
>>>>>>>
>>>>>>> *SESSION_COOKIE_SAMESITE = None*
>>>>>>>
>>>>>>> *SESSION_COOKIE_SECURE = True*
>>>>>>> (As we aren't going through any cross-site cookie transfer, this can
>>>>>>> be a handy option - but still risky..)
>>>>>>>
>>>>>>> I would suggest going with the 1st option or combination of both,
>>>>>>> but with caution.
>>>>>>>
>>>>>>
>>>>>> Others must have come across this issue already. Is it a known bug,
>>>>>> documented somewhere (ideally on apple.com)?
>>>>>>
>>>>>> --
>>>>>> Dave Page
>>>>>> Blog: http://pgsnake.blogspot.com
>>>>>> Twitter: @pgsnake
>>>>>>
>>>>>> EDB: http://www.enterprisedb.com
>>>>>>
>>>>>>
>>>>>
>>>>> --
>>>>> *Rahul Shirsat*
>>>>> Software Engineer | EnterpriseDB Corporation.
>>>>>
>>>>
>>>>
>>>> --
>>>> Dave Page
>>>> Blog: http://pgsnake.blogspot.com
>>>> Twitter: @pgsnake
>>>>
>>>> EDB: http://www.enterprisedb.com
>>>>
>>>>
>>>
>>> --
>>> *Rahul Shirsat*
>>> Software Engineer | EnterpriseDB Corporation.
>>>
>>
>>
>> --
>> *Rahul Shirsat*
>> Software Engineer | EnterpriseDB Corporation.
>>
>
>
> --
> Dave Page
> Blog: http://pgsnake.blogspot.com
> Twitter: @pgsnake
>
> EDB: http://www.enterprisedb.com
>
>
--
*Rahul Shirsat*
Software Engineer | EnterpriseDB Corporation.
^ permalink raw reply [nested|flat] 13+ messages in thread
* Re: SameSite issues in Safari Browser (reference #RM5975)
2020-11-25 10:37 SameSite issues in Safari Browser (reference #RM5975) Rahul Shirsat <[email protected]>
2020-11-26 13:27 ` Re: SameSite issues in Safari Browser (reference #RM5975) Dave Page <[email protected]>
2020-11-30 07:11 ` Re: SameSite issues in Safari Browser (reference #RM5975) Rahul Shirsat <[email protected]>
2020-11-30 11:42 ` Re: SameSite issues in Safari Browser (reference #RM5975) Dave Page <[email protected]>
2020-11-30 14:00 ` Re: SameSite issues in Safari Browser (reference #RM5975) Rahul Shirsat <[email protected]>
2020-12-01 17:50 ` Re: SameSite issues in Safari Browser (reference #RM5975) Rahul Shirsat <[email protected]>
2020-12-02 11:03 ` Re: SameSite issues in Safari Browser (reference #RM5975) Dave Page <[email protected]>
2020-12-03 08:54 ` Re: SameSite issues in Safari Browser (reference #RM5975) Rahul Shirsat <[email protected]>
@ 2020-12-03 09:32 ` Dave Page <[email protected]>
2020-12-03 11:30 ` Re: SameSite issues in Safari Browser (reference #RM5975) Rahul Shirsat <[email protected]>
0 siblings, 1 reply; 13+ messages in thread
From: Dave Page @ 2020-12-03 09:32 UTC (permalink / raw)
To: Rahul Shirsat <[email protected]>; +Cc: pgadmin-hackers
Hi
Please check: https://www.pgadmin.org/faq/#13
On Thu, Dec 3, 2020 at 8:54 AM Rahul Shirsat <[email protected]>
wrote:
> Dave,
>
> Please find below corrected faq details.
>
> Category : Troubleshooting
>
> Question :
> When I set new tab settings for query tool or schema-diff, I get
> "Connection to server lost" or "CSRF tokens do not match" on Safari
> versions >= 12
>
> Answer:
> <p>This has been seen mostly on Safari browser versions >= 12. It's
> reported that from v12 of CFNetwork/Safari/Webkit erroneously handle
> "Samesite=none" as the equivalent of "Samesite=strict". It means, Safari
> recognizes the SameSite option starting with version 12, but their
> implementation has a bug: It interprets invalid values as if
> SameSite=Strict had been specified, and for it only Strict and Lax are
> valid values, as the older specification did not yet specify None</p>
>
> <p>To solve this issue, we need to override the SameSite security
> settings, for this, create a file called config_system.py (for location to
> create the file, refer <a href="
> https://www.pgadmin.org/docs/pgadmin4/development/config_py.html">The
> config.py file</a>). This file can be used to override any of the settings
> in config.py (which shouldn't be edited). The config_system.py should have
> the below code:</p>
>
> <pre>
> SESSION_COOKIE_SAMESITE = None
> SESSION_COOKIE_SECURE = True
> </pre>
> <p><i>Note that these changes are not recommended, and we highly recommend
> users to use a different browser until the issue gets resolved from
> Apple.</i>
>
> Removed the OS specific condition to make it generic for all distributions.
> Added a warning note at the last of the faq.
>
> On Wed, Dec 2, 2020 at 4:33 PM Dave Page <[email protected]> wrote:
>
>> Hi
>>
>> On Tue, Dec 1, 2020 at 5:51 PM Rahul Shirsat <
>> [email protected]> wrote:
>>
>>> Hi Dave,
>>>
>>> Could you please add below FAQ point for SameSite Safari issue:
>>>
>>> Question :
>>> When I set new tab settings for query tool or schema-diff, I get
>>> "Connection to server lost" or "CSRF tokens do not match" on Safari
>>> versions >= 12
>>>
>>> Answer:
>>> <p>This has been seen mostly on Safari browser versions >= 12. It's
>>> reported that from v12 of CFNetwork/Safari/Webkit erroneously handle
>>> "Samesite=none" as the equivalent of "Samesite=strict". It means, Safari
>>> recognizes the SameSite option starting with version 12, but their
>>> implementation has a bug: It interprets invalid values as if
>>> SameSite=Strict had been specified, and for it only Strict and Lax are
>>> valid values, as the older specification did not yet specify None</p>
>>>
>>> <p>To solve this issue, we need to override the SameSite security
>>> settings, for this, create a file called config_system.py in the web/
>>> directory of the installation, alongside the existing config.py. This file
>>> can be used to override any of the settings in config.py (which shouldn't
>>> be edited). The config_system.py should have the below code:</p>
>>>
>>
>> We could certainly add something like that, though, config_system.py
>> doesn't go alongside config.py so that part of the text needs fixing.
>>
>>
>>>
>>> <pre>
>>> import sys
>>>
>>> # Targeting only macOS
>>> if sys.platform.startswith('darwin'):
>>> SESSION_COOKIE_SAMESITE = None
>>> SESSION_COOKIE_SECURE = True
>>> </pre>
>>>
>>> Do suggest or add any points if I am missing them.
>>>
>>
>> And that is not going to work in Server mode, only Desktop.
>>
>>
>>
>>>
>>> Also, let me know once this is done, So that I will close the ticket.
>>>
>>> --
>>> *Rahul Shirsat*
>>> Senior Software Engineer | EnterpriseDB Corporation.
>>>
>>> On Mon, Nov 30, 2020 at 7:30 PM Rahul Shirsat <
>>> [email protected]> wrote:
>>>
>>>> This was the part of our internal quality testing, where it got
>>>> encountered. Currently, none of the users have complained about this on
>>>> their specific browser versions.
>>>>
>>>> On Mon, Nov 30, 2020 at 5:12 PM Dave Page <[email protected]> wrote:
>>>>
>>>>> Hi
>>>>>
>>>>> On Mon, Nov 30, 2020 at 7:12 AM Rahul Shirsat <
>>>>> [email protected]> wrote:
>>>>>
>>>>>> Dave,
>>>>>>
>>>>>> There are issues discussed on Apple forums, check this out:
>>>>>>
>>>>>> https://developer.apple.com/forums/thread/129064 - The latest
>>>>>> comment by the user here is one month ago, meaning the issue is still not
>>>>>> fixed yet.
>>>>>> https://developer.apple.com/forums/thread/658688 - Users facing this
>>>>>> issue in v13.x
>>>>>>
>>>>>> Even webkit has confirmed about this issue :
>>>>>> https://bugs.webkit.org/show_bug.cgi?id=198181 - Users facing this
>>>>>> issue in v12.x
>>>>>>
>>>>>
>>>>> In that case, I think the answer (for now at least) is an FAQ,
>>>>> referencing those issues and explaining how to resolve the issue using
>>>>> config_system.py or by using a different browser.
>>>>>
>>>>> Have we actually seen this issue in wild?
>>>>>
>>>>>
>>>>>
>>>>>>
>>>>>> On Thu, Nov 26, 2020 at 6:57 PM Dave Page <[email protected]> wrote:
>>>>>>
>>>>>>> Hi
>>>>>>>
>>>>>>> On Wed, Nov 25, 2020 at 10:37 AM Rahul Shirsat <
>>>>>>> [email protected]> wrote:
>>>>>>>
>>>>>>>> Hi Dave,
>>>>>>>>
>>>>>>>> Due to SameSite security issues in Safari Browser, some of the
>>>>>>>> pgadmin4 functionality isn't working (mostly the new tab functionality).
>>>>>>>>
>>>>>>>> The affected Safari Browser versions (marked in red) currently
>>>>>>>> tested upon are:
>>>>>>>>
>>>>>>>> 1. v11.1.2
>>>>>>>> 2. v12.1
>>>>>>>> 3. v12.1.1
>>>>>>>> 4. 13.1
>>>>>>>> 5. 14.0.1
>>>>>>>>
>>>>>>>> Since v12, Safari have done some security fixes, due to which this
>>>>>>>> issue has occurred. Strangely, the issue is not reproducible on v13, but
>>>>>>>> reproducible on its successor i.e. v14
>>>>>>>>
>>>>>>>> Possible solutions could be:
>>>>>>>>
>>>>>>>> 1. Reporting this to Safari & raising an RM for tracking
>>>>>>>> purposes.
>>>>>>>> 2. Suggesting Safari users to make below changes in config.py
>>>>>>>> or config_distro for the work around:
>>>>>>>>
>>>>>>>> *SESSION_COOKIE_SAMESITE = None*
>>>>>>>>
>>>>>>>> *SESSION_COOKIE_SECURE = True*
>>>>>>>> (As we aren't going through any cross-site cookie transfer, this
>>>>>>>> can be a handy option - but still risky..)
>>>>>>>>
>>>>>>>> I would suggest going with the 1st option or combination of both,
>>>>>>>> but with caution.
>>>>>>>>
>>>>>>>
>>>>>>> Others must have come across this issue already. Is it a known bug,
>>>>>>> documented somewhere (ideally on apple.com)?
>>>>>>>
>>>>>>> --
>>>>>>> Dave Page
>>>>>>> Blog: http://pgsnake.blogspot.com
>>>>>>> Twitter: @pgsnake
>>>>>>>
>>>>>>> EDB: http://www.enterprisedb.com
>>>>>>>
>>>>>>>
>>>>>>
>>>>>> --
>>>>>> *Rahul Shirsat*
>>>>>> Software Engineer | EnterpriseDB Corporation.
>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Dave Page
>>>>> Blog: http://pgsnake.blogspot.com
>>>>> Twitter: @pgsnake
>>>>>
>>>>> EDB: http://www.enterprisedb.com
>>>>>
>>>>>
>>>>
>>>> --
>>>> *Rahul Shirsat*
>>>> Software Engineer | EnterpriseDB Corporation.
>>>>
>>>
>>>
>>> --
>>> *Rahul Shirsat*
>>> Software Engineer | EnterpriseDB Corporation.
>>>
>>
>>
>> --
>> Dave Page
>> Blog: http://pgsnake.blogspot.com
>> Twitter: @pgsnake
>>
>> EDB: http://www.enterprisedb.com
>>
>>
>
> --
> *Rahul Shirsat*
> Software Engineer | EnterpriseDB Corporation.
>
--
Dave Page
Blog: http://pgsnake.blogspot.com
Twitter: @pgsnake
EDB: http://www.enterprisedb.com
^ permalink raw reply [nested|flat] 13+ messages in thread
* Re: SameSite issues in Safari Browser (reference #RM5975)
2020-11-25 10:37 SameSite issues in Safari Browser (reference #RM5975) Rahul Shirsat <[email protected]>
2020-11-26 13:27 ` Re: SameSite issues in Safari Browser (reference #RM5975) Dave Page <[email protected]>
2020-11-30 07:11 ` Re: SameSite issues in Safari Browser (reference #RM5975) Rahul Shirsat <[email protected]>
2020-11-30 11:42 ` Re: SameSite issues in Safari Browser (reference #RM5975) Dave Page <[email protected]>
2020-11-30 14:00 ` Re: SameSite issues in Safari Browser (reference #RM5975) Rahul Shirsat <[email protected]>
2020-12-01 17:50 ` Re: SameSite issues in Safari Browser (reference #RM5975) Rahul Shirsat <[email protected]>
2020-12-02 11:03 ` Re: SameSite issues in Safari Browser (reference #RM5975) Dave Page <[email protected]>
2020-12-03 08:54 ` Re: SameSite issues in Safari Browser (reference #RM5975) Rahul Shirsat <[email protected]>
2020-12-03 09:32 ` Re: SameSite issues in Safari Browser (reference #RM5975) Dave Page <[email protected]>
@ 2020-12-03 11:30 ` Rahul Shirsat <[email protected]>
0 siblings, 0 replies; 13+ messages in thread
From: Rahul Shirsat @ 2020-12-03 11:30 UTC (permalink / raw)
To: Dave Page <[email protected]>; +Cc: pgadmin-hackers
Thanks Dave.
I have closed the issue.
On Thu, Dec 3, 2020 at 3:02 PM Dave Page <[email protected]> wrote:
> Hi
>
> Please check: https://www.pgadmin.org/faq/#13
>
> On Thu, Dec 3, 2020 at 8:54 AM Rahul Shirsat <
> [email protected]> wrote:
>
>> Dave,
>>
>> Please find below corrected faq details.
>>
>> Category : Troubleshooting
>>
>> Question :
>> When I set new tab settings for query tool or schema-diff, I get
>> "Connection to server lost" or "CSRF tokens do not match" on Safari
>> versions >= 12
>>
>> Answer:
>> <p>This has been seen mostly on Safari browser versions >= 12. It's
>> reported that from v12 of CFNetwork/Safari/Webkit erroneously handle
>> "Samesite=none" as the equivalent of "Samesite=strict". It means, Safari
>> recognizes the SameSite option starting with version 12, but their
>> implementation has a bug: It interprets invalid values as if
>> SameSite=Strict had been specified, and for it only Strict and Lax are
>> valid values, as the older specification did not yet specify None</p>
>>
>> <p>To solve this issue, we need to override the SameSite security
>> settings, for this, create a file called config_system.py (for location to
>> create the file, refer <a href="
>> https://www.pgadmin.org/docs/pgadmin4/development/config_py.html">The
>> config.py file</a>). This file can be used to override any of the settings
>> in config.py (which shouldn't be edited). The config_system.py should have
>> the below code:</p>
>>
>> <pre>
>> SESSION_COOKIE_SAMESITE = None
>> SESSION_COOKIE_SECURE = True
>> </pre>
>> <p><i>Note that these changes are not recommended, and we highly
>> recommend users to use a different browser until the issue gets resolved
>> from Apple.</i>
>>
>> Removed the OS specific condition to make it generic for all
>> distributions.
>> Added a warning note at the last of the faq.
>>
>> On Wed, Dec 2, 2020 at 4:33 PM Dave Page <[email protected]> wrote:
>>
>>> Hi
>>>
>>> On Tue, Dec 1, 2020 at 5:51 PM Rahul Shirsat <
>>> [email protected]> wrote:
>>>
>>>> Hi Dave,
>>>>
>>>> Could you please add below FAQ point for SameSite Safari issue:
>>>>
>>>> Question :
>>>> When I set new tab settings for query tool or schema-diff, I get
>>>> "Connection to server lost" or "CSRF tokens do not match" on Safari
>>>> versions >= 12
>>>>
>>>> Answer:
>>>> <p>This has been seen mostly on Safari browser versions >= 12. It's
>>>> reported that from v12 of CFNetwork/Safari/Webkit erroneously handle
>>>> "Samesite=none" as the equivalent of "Samesite=strict". It means, Safari
>>>> recognizes the SameSite option starting with version 12, but their
>>>> implementation has a bug: It interprets invalid values as if
>>>> SameSite=Strict had been specified, and for it only Strict and Lax are
>>>> valid values, as the older specification did not yet specify None</p>
>>>>
>>>> <p>To solve this issue, we need to override the SameSite security
>>>> settings, for this, create a file called config_system.py in the web/
>>>> directory of the installation, alongside the existing config.py. This file
>>>> can be used to override any of the settings in config.py (which shouldn't
>>>> be edited). The config_system.py should have the below code:</p>
>>>>
>>>
>>> We could certainly add something like that, though, config_system.py
>>> doesn't go alongside config.py so that part of the text needs fixing.
>>>
>>>
>>>>
>>>> <pre>
>>>> import sys
>>>>
>>>> # Targeting only macOS
>>>> if sys.platform.startswith('darwin'):
>>>> SESSION_COOKIE_SAMESITE = None
>>>> SESSION_COOKIE_SECURE = True
>>>> </pre>
>>>>
>>>> Do suggest or add any points if I am missing them.
>>>>
>>>
>>> And that is not going to work in Server mode, only Desktop.
>>>
>>>
>>>
>>>>
>>>> Also, let me know once this is done, So that I will close the ticket.
>>>>
>>>> --
>>>> *Rahul Shirsat*
>>>> Senior Software Engineer | EnterpriseDB Corporation.
>>>>
>>>> On Mon, Nov 30, 2020 at 7:30 PM Rahul Shirsat <
>>>> [email protected]> wrote:
>>>>
>>>>> This was the part of our internal quality testing, where it got
>>>>> encountered. Currently, none of the users have complained about this on
>>>>> their specific browser versions.
>>>>>
>>>>> On Mon, Nov 30, 2020 at 5:12 PM Dave Page <[email protected]> wrote:
>>>>>
>>>>>> Hi
>>>>>>
>>>>>> On Mon, Nov 30, 2020 at 7:12 AM Rahul Shirsat <
>>>>>> [email protected]> wrote:
>>>>>>
>>>>>>> Dave,
>>>>>>>
>>>>>>> There are issues discussed on Apple forums, check this out:
>>>>>>>
>>>>>>> https://developer.apple.com/forums/thread/129064 - The latest
>>>>>>> comment by the user here is one month ago, meaning the issue is still not
>>>>>>> fixed yet.
>>>>>>> https://developer.apple.com/forums/thread/658688 - Users facing
>>>>>>> this issue in v13.x
>>>>>>>
>>>>>>> Even webkit has confirmed about this issue :
>>>>>>> https://bugs.webkit.org/show_bug.cgi?id=198181 - Users facing this
>>>>>>> issue in v12.x
>>>>>>>
>>>>>>
>>>>>> In that case, I think the answer (for now at least) is an FAQ,
>>>>>> referencing those issues and explaining how to resolve the issue using
>>>>>> config_system.py or by using a different browser.
>>>>>>
>>>>>> Have we actually seen this issue in wild?
>>>>>>
>>>>>>
>>>>>>
>>>>>>>
>>>>>>> On Thu, Nov 26, 2020 at 6:57 PM Dave Page <[email protected]> wrote:
>>>>>>>
>>>>>>>> Hi
>>>>>>>>
>>>>>>>> On Wed, Nov 25, 2020 at 10:37 AM Rahul Shirsat <
>>>>>>>> [email protected]> wrote:
>>>>>>>>
>>>>>>>>> Hi Dave,
>>>>>>>>>
>>>>>>>>> Due to SameSite security issues in Safari Browser, some of the
>>>>>>>>> pgadmin4 functionality isn't working (mostly the new tab functionality).
>>>>>>>>>
>>>>>>>>> The affected Safari Browser versions (marked in red) currently
>>>>>>>>> tested upon are:
>>>>>>>>>
>>>>>>>>> 1. v11.1.2
>>>>>>>>> 2. v12.1
>>>>>>>>> 3. v12.1.1
>>>>>>>>> 4. 13.1
>>>>>>>>> 5. 14.0.1
>>>>>>>>>
>>>>>>>>> Since v12, Safari have done some security fixes, due to which this
>>>>>>>>> issue has occurred. Strangely, the issue is not reproducible on v13, but
>>>>>>>>> reproducible on its successor i.e. v14
>>>>>>>>>
>>>>>>>>> Possible solutions could be:
>>>>>>>>>
>>>>>>>>> 1. Reporting this to Safari & raising an RM for tracking
>>>>>>>>> purposes.
>>>>>>>>> 2. Suggesting Safari users to make below changes in config.py
>>>>>>>>> or config_distro for the work around:
>>>>>>>>>
>>>>>>>>> *SESSION_COOKIE_SAMESITE = None*
>>>>>>>>>
>>>>>>>>> *SESSION_COOKIE_SECURE = True*
>>>>>>>>> (As we aren't going through any cross-site cookie transfer, this
>>>>>>>>> can be a handy option - but still risky..)
>>>>>>>>>
>>>>>>>>> I would suggest going with the 1st option or combination of both,
>>>>>>>>> but with caution.
>>>>>>>>>
>>>>>>>>
>>>>>>>> Others must have come across this issue already. Is it a known bug,
>>>>>>>> documented somewhere (ideally on apple.com)?
>>>>>>>>
>>>>>>>> --
>>>>>>>> Dave Page
>>>>>>>> Blog: http://pgsnake.blogspot.com
>>>>>>>> Twitter: @pgsnake
>>>>>>>>
>>>>>>>> EDB: http://www.enterprisedb.com
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> *Rahul Shirsat*
>>>>>>> Software Engineer | EnterpriseDB Corporation.
>>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Dave Page
>>>>>> Blog: http://pgsnake.blogspot.com
>>>>>> Twitter: @pgsnake
>>>>>>
>>>>>> EDB: http://www.enterprisedb.com
>>>>>>
>>>>>>
>>>>>
>>>>> --
>>>>> *Rahul Shirsat*
>>>>> Software Engineer | EnterpriseDB Corporation.
>>>>>
>>>>
>>>>
>>>> --
>>>> *Rahul Shirsat*
>>>> Software Engineer | EnterpriseDB Corporation.
>>>>
>>>
>>>
>>> --
>>> Dave Page
>>> Blog: http://pgsnake.blogspot.com
>>> Twitter: @pgsnake
>>>
>>> EDB: http://www.enterprisedb.com
>>>
>>>
>>
>> --
>> *Rahul Shirsat*
>> Software Engineer | EnterpriseDB Corporation.
>>
>
>
> --
> Dave Page
> Blog: http://pgsnake.blogspot.com
> Twitter: @pgsnake
>
> EDB: http://www.enterprisedb.com
>
>
--
*Rahul Shirsat*
Software Engineer | EnterpriseDB Corporation.
^ permalink raw reply [nested|flat] 13+ messages in thread
end of thread, other threads:[~2020-12-03 11:30 UTC | newest]
Thread overview: 13+ messages (download: mbox mbox.gz follow: Atom feed)
-- links below jump to the message on this page --
2020-11-25 10:37 SameSite issues in Safari Browser (reference #RM5975) Rahul Shirsat <[email protected]>
2020-11-26 05:57 ` Akshay Joshi <[email protected]>
2020-11-26 08:02 ` Rahul Shirsat <[email protected]>
2020-11-26 08:50 ` Ashesh Vashi <[email protected]>
2020-11-26 13:27 ` Dave Page <[email protected]>
2020-11-30 07:11 ` Rahul Shirsat <[email protected]>
2020-11-30 11:42 ` Dave Page <[email protected]>
2020-11-30 14:00 ` Rahul Shirsat <[email protected]>
2020-12-01 17:50 ` Rahul Shirsat <[email protected]>
2020-12-02 11:03 ` Dave Page <[email protected]>
2020-12-03 08:54 ` Rahul Shirsat <[email protected]>
2020-12-03 09:32 ` Dave Page <[email protected]>
2020-12-03 11:30 ` Rahul Shirsat <[email protected]>
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox