Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps
 (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256)
	(Exim 4.92)
	(envelope-from <pgadmin-hackers-owner+archive@lists.postgresql.org>)
	id 1kiAHs-00009u-Ek
	for pgadmin-hackers@arkaria.postgresql.org; Thu, 26 Nov 2020 05:57:48 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.92)
	(envelope-from <pgadmin-hackers-owner+archive@lists.postgresql.org>)
	id 1kiAHr-0008Mb-DV
	for pgadmin-hackers@arkaria.postgresql.org; Thu, 26 Nov 2020 05:57:47 +0000
Received: from makus.postgresql.org ([2001:4800:3e1:1::229])
	by malur.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256)
	(Exim 4.92)
	(envelope-from <akshay.joshi@enterprisedb.com>)
	id 1kiAHq-0008MT-Ue
	for pgadmin-hackers@lists.postgresql.org; Thu, 26 Nov 2020 05:57:47 +0000
Received: from mail-io1-xd2b.google.com ([2607:f8b0:4864:20::d2b])
	by makus.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_128_GCM_SHA256:128)
	(Exim 4.92)
	(envelope-from <akshay.joshi@enterprisedb.com>)
	id 1kiAHo-0004FK-2h
	for pgadmin-hackers@postgresql.org; Thu, 26 Nov 2020 05:57:45 +0000
Received: by mail-io1-xd2b.google.com with SMTP id o8so721057ioh.0
        for <pgadmin-hackers@postgresql.org>;
 Wed, 25 Nov 2020 21:57:43 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=enterprisedb-com.20150623.gappssmtp.com; s=20150623;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=UGnynncz8vuFHfhhUvfp8LIKdAU7Nfj/TVhJQYBeSJQ=;
        b=GI5ztnSlSsLk5n5N1GemCuTV+nrADx676rjJHazZWzpt3CaR7a+ANqdEPORzGNe9lg
         9HIh4hddqZFW+0ZrwfSQuRbLJf33qu8mXM8QML/c38/qekQGZ45kqBW89ImorHgeYaTA
         seoOewEnI1hue5vNMQa7QblIpuE4okiqTBDfQfQSXpkrBeGrNP7TszPwQ3pDaArgEnjQ
         gahF8AG1BhUpe5JyKv5Gn/w3o2WW/MAt1+PqzN4TX0OvTQHoiq1t6NHhdpWagmAGUABU
         h+U1aCIK3JkAIf7b4Muwm/fBa2cXLTEL0x8SrgwjCkScpdrzda7wI7VwYhBOp4R5dOQ2
         8Q7w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=UGnynncz8vuFHfhhUvfp8LIKdAU7Nfj/TVhJQYBeSJQ=;
        b=QAhkqhm5hLjDFodG77+Z1hbl15Ocvp/LkzO4caVD0fPzsfCqyulsVHveDfZHAOPAcR
         tRE//OgIO6uS0TNFvpZyT7M2N/5x2QCP5s22pPNyZYraebOXdCout7AgI76cqG6WJt4E
         gjJWHqaZe+epFvxUnU6Xq08xni1dvx+KxA7s/WBxSBqKtjI+fp1jbKl9gY6UQxVPbZ3O
         A4hcxM7Pj3UmTsJWTPxMfIn5wpeL/0dUxenTpuv8UvmiGR5JE4AWJIVz7LPqbGNWmpC4
         DbTjEHQ9S8MWQ13fk+BRKsRKdKh8ardlu+VGpu6Cbq1OW8KuyD6zL5a/tswddtylWV8s
         +M3A==
X-Gm-Message-State: AOAM532tgjmJR9ywZIcQr6zO34WpxM9J7DBcD5yuyAyxFYhCOs+Ty9/Q
	uf2/ZtDJ/nlMRqg75fkClG/AWZ91GgxgkuO41ep17CybNdrem1+UvXiHSMULeXoXwqPR8553XVU
	aHVc0CZZkxdPpUDPKUtIccequ7BZts/tejh2s+jBO1lSCp/0RavYxD+99TsB517DvN9MEPO1Jpz
	LkyTx3Tw2mL7XxGaDfMiHcXQzfRTimIqR/Ov1NzEWn/Z9e9RzI08mkVVqUMA==
X-Google-Smtp-Source: 
 ABdhPJyN+m1rmREQCSCtrJdMdcrCdiWyU1j2wnwTiD1S+mzIWdO5jbVQMq2bEYvbHDxtbxREwyUknLu1Rx+HnmL2sac=
X-Received: by 2002:a05:6602:2d89:: with SMTP id
 k9mr1295283iow.52.1606370262872;
 Wed, 25 Nov 2020 21:57:42 -0800 (PST)
MIME-Version: 1.0
References: 
 <CAKtn9dNqZqKbOuwaE5Y94+_WG=NqTh+=oj1vYvdcbq7501b_NQ@mail.gmail.com>
In-Reply-To: 
 <CAKtn9dNqZqKbOuwaE5Y94+_WG=NqTh+=oj1vYvdcbq7501b_NQ@mail.gmail.com>
From: Akshay Joshi <akshay.joshi@enterprisedb.com>
Date: Thu, 26 Nov 2020 11:27:32 +0530
Message-ID: 
 <CANxoLDeLQRyX-7pJVOLFCP71srvkov7i-_U_rNppWPV6hp8MTQ@mail.gmail.com>
Subject: Re: SameSite issues in Safari Browser (reference #RM5975)
To: Rahul Shirsat <rahul.shirsat@enterprisedb.com>
Cc: pgadmin-hackers <pgadmin-hackers@postgresql.org>
Content-Type: multipart/alternative; boundary="000000000000e5907005b4fc3857"
X-CLOUD-SEC-AV-Info: enterprisedb,google_mail,monitor
X-CLOUD-SEC-AV-Sent: true
X-Gm-Spam: 0
X-Gm-Phishy: 0
List-Id: <pgadmin-hackers.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgadmin-hackers@lists.postgresql.org>
List-Owner: <mailto:pgadmin-hackers-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgadmin-hackers>
Precedence: bulk

--000000000000e5907005b4fc3857
Content-Type: text/plain; charset="UTF-8"

Hi Rahul

On Wed, Nov 25, 2020 at 4:07 PM Rahul Shirsat <
rahul.shirsat@enterprisedb.com> wrote:

> Hi Dave,
>
> Due to SameSite security issues in Safari Browser, some of the pgadmin4
> functionality isn't working (mostly the new tab functionality).
>
> The affected Safari Browser versions (marked in red) currently tested upon
> are:
>
>    1. v11.1.2
>    2. v12.1
>    3. v12.1.1
>    4. 13.1
>    5. 14.0.1
>
> Since v12, Safari have done some security fixes, due to which this issue
> has occurred. Strangely, the issue is not reproducible on v13, but
> reproducible on its successor i.e. v14
>
> Possible solutions could be:
>
>    1. Reporting this to Safari & raising an RM for tracking purposes.
>    2. Suggesting Safari users to make below changes in config.py or
>    config_distro for the work around:
>
> *SESSION_COOKIE_SAMESITE = None*
>
> *SESSION_COOKIE_SECURE = True*
> (As we aren't going through any cross-site cookie transfer, this can be a
> handy option - but still risky..)
>
> I would suggest going with the 1st option or combination of both, but with
> caution.
>

   In my opinion, we should go with both the options, as we have added the
above settings for security purposes.

>
> --
> *Rahul Shirsat*
> Software Engineer | EnterpriseDB Corporation.
>


-- 
*Thanks & Regards*
*Akshay Joshi*
*pgAdmin Hacker | Principal Software Architect*
*EDB Postgres <http://edbpostgres.com>*

*Mobile: +91 976-788-8246*

--000000000000e5907005b4fc3857
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div dir=3D"ltr">Hi=C2=A0Rahul</div><br><div class=3D"gmai=
l_quote"><div dir=3D"ltr" class=3D"gmail_attr">On Wed, Nov 25, 2020 at 4:07=
 PM Rahul Shirsat &lt;<a href=3D"mailto:rahul.shirsat@enterprisedb.com">rah=
ul.shirsat@enterprisedb.com</a>&gt; wrote:<br></div><blockquote class=3D"gm=
ail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,=
204,204);padding-left:1ex"><div dir=3D"ltr">Hi Dave,<div><br></div><div>Due=
 to SameSite security issues in Safari=C2=A0Browser, some of the pgadmin4 f=
unctionality isn&#39;t working (mostly the new tab functionality).</div><di=
v><br></div><div>The affected Safari Browser versions (marked in red) curre=
ntly tested upon are:</div><div><ol><li>v11.1.2</li><li><font color=3D"#ff0=
000">v12.1</font></li><li><font color=3D"#ff0000">v12.1.1</font></li><li><f=
ont color=3D"#000000">13.1</font></li><li><font color=3D"#ff0000">14.0.1</f=
ont></li></ol><div>Since v12, Safari have done some security fixes, due to =
which this issue has occurred. Strangely, the issue is not reproducible on =
v13, but reproducible=C2=A0on its successor i.e. v14</div></div><div><br></=
div><div>Possible solutions could be:</div><div><ol><li>Reporting this to S=
afari &amp; raising an RM for tracking purposes.</li><li>Suggesting Safari =
users to make below changes in config.py or config_distro for the work arou=
nd:</li></ol></div><blockquote style=3D"margin:0px 0px 0px 40px;border:none=
;padding:0px"><i>SESSION_COOKIE_SAMESITE =3D None</i><br><i>SESSION_COOKIE_=
SECURE =3D True<br></i><br>(As we aren&#39;t going through any cross-site c=
ookie transfer, this can be a handy option - but still risky..)<br><br></bl=
ockquote><div>I would suggest going with the 1st option or combination of b=
oth, but with caution.</div></div></blockquote><div><br></div><div>=C2=A0 =
=C2=A0In my opinion, we should go with both the options, as we have added t=
he above settings for security purposes.</div><blockquote class=3D"gmail_qu=
ote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,20=
4);padding-left:1ex"><div dir=3D"ltr"><br><div></div><div>-- <br><div dir=
=3D"ltr"><div dir=3D"ltr"><div><div dir=3D"ltr"><div dir=3D"ltr"><div style=
=3D"color:rgb(0,0,0);font-family:Helvetica;font-size:12px"><b style=3D"colo=
r:rgb(96,96,97)">Rahul Shirsat</b><br></div><div style=3D"color:rgb(0,0,0);=
font-family:Helvetica;font-size:12px"><font color=3D"#5f5e5f">Software Engi=
neer=C2=A0|=C2=A0EnterpriseDB=C2=A0Corporation.</font></div></div></div></d=
iv></div></div></div></div>
</blockquote></div><br clear=3D"all"><div><br></div>-- <br><div dir=3D"ltr"=
 class=3D"gmail_signature"><div dir=3D"ltr"><div dir=3D"ltr"><div dir=3D"lt=
r"><div dir=3D"ltr"><div dir=3D"ltr"><div><font color=3D"#3333FF"><b><span =
style=3D"color:rgb(0,0,0);font-family:arial,sans-serif;font-size:13px;borde=
r-collapse:collapse">Thanks &amp; Regards</span></b></font></div><div><font=
 color=3D"#3333FF"><b><span style=3D"color:rgb(0,0,0);font-family:arial,san=
s-serif;font-size:13px;border-collapse:collapse">Akshay Joshi</span></b></f=
ont></div><div><font color=3D"#3333FF"><b><span style=3D"color:rgb(0,0,0);f=
ont-family:arial,sans-serif;font-size:13px;border-collapse:collapse">pgAdmi=
n Hacker | Principal Software Architect</span></b></font></div><font color=
=3D"#000000" face=3D"arial, sans-serif"><b><a href=3D"http://edbpostgres.co=
m" target=3D"_blank">EDB Postgres</a></b></font><br><div><b style=3D"color:=
rgb(51,51,255)"><span style=3D"color:rgb(0,0,0);font-family:arial,sans-seri=
f;font-size:13px;border-collapse:collapse">Mobile: +91 976-788-8246<br></sp=
an></b><br></div></div></div></div></div></div></div></div>

--000000000000e5907005b4fc3857--