| From: | Ashesh Vashi <ashesh(dot)vashi(at)enterprisedb(dot)com> |
|---|---|
| To: | Rahul Shirsat <rahul(dot)shirsat(at)enterprisedb(dot)com> |
| Cc: | Akshay Joshi <akshay(dot)joshi(at)enterprisedb(dot)com>, pgadmin-hackers <pgadmin-hackers(at)postgresql(dot)org> |
| Subject: | Re: SameSite issues in Safari Browser (reference #RM5975) |
| Date: | 2020-11-26 08:50:09 |
| Message-ID: | CAG7mmozKN2SzKvgwOUN2E1PMkmakmebQs9fNH_eDqpuCk4gcJw@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgadmin-hackers |
On Thu, Nov 26, 2020 at 1:33 PM Rahul Shirsat <
rahul(dot)shirsat(at)enterprisedb(dot)com> wrote:
> Yes Akshay.
>
> I think we should go ahead adding this approach in the pgadmin faqs, we
> would not be fixing this in our code as we don't know when Apple would fix
> its issue.
>
Or, add these configs in the config_distro.py for Mac packages.
-- Ashesh
>
> On Thu, Nov 26, 2020 at 11:27 AM Akshay Joshi <
> akshay(dot)joshi(at)enterprisedb(dot)com> wrote:
>
>> Hi Rahul
>>
>> On Wed, Nov 25, 2020 at 4:07 PM Rahul Shirsat <
>> rahul(dot)shirsat(at)enterprisedb(dot)com> wrote:
>>
>>> Hi Dave,
>>>
>>> Due to SameSite security issues in Safari Browser, some of the pgadmin4
>>> functionality isn't working (mostly the new tab functionality).
>>>
>>> The affected Safari Browser versions (marked in red) currently tested
>>> upon are:
>>>
>>> 1. v11.1.2
>>> 2. v12.1
>>> 3. v12.1.1
>>> 4. 13.1
>>> 5. 14.0.1
>>>
>>> Since v12, Safari have done some security fixes, due to which this issue
>>> has occurred. Strangely, the issue is not reproducible on v13, but
>>> reproducible on its successor i.e. v14
>>>
>>> Possible solutions could be:
>>>
>>> 1. Reporting this to Safari & raising an RM for tracking purposes.
>>> 2. Suggesting Safari users to make below changes in config.py or
>>> config_distro for the work around:
>>>
>>> *SESSION_COOKIE_SAMESITE = None*
>>>
>>> *SESSION_COOKIE_SECURE = True*
>>> (As we aren't going through any cross-site cookie transfer, this can be
>>> a handy option - but still risky..)
>>>
>>> I would suggest going with the 1st option or combination of both, but
>>> with caution.
>>>
>>
>> In my opinion, we should go with both the options, as we have added
>> the above settings for security purposes.
>>
>>>
>>> --
>>> *Rahul Shirsat*
>>> Software Engineer | EnterpriseDB Corporation.
>>>
>>
>>
>> --
>> *Thanks & Regards*
>> *Akshay Joshi*
>> *pgAdmin Hacker | Principal Software Architect*
>> *EDB Postgres <http://edbpostgres.com>*
>>
>> *Mobile: +91 976-788-8246*
>>
>
>
> --
> *Rahul Shirsat*
> Software Engineer | EnterpriseDB Corporation.
>
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Rahul Shirsat | 2020-11-26 13:17:56 | Unable to download macros query results (reference #RM5965) |
| Previous Message | Nikhil Mohite | 2020-11-26 08:13:34 | [pgAdmin][RM-5992]: Escape character shown when server/database name has some special characters. |