Bc_desktop stopped working in MacOS Safari, POSSIBLY across OOD 1.7 upgrade

We’ve had bc_desktop working on our CentOS7 and CentOS6 clusters for some time from our CentOS 7 based on demand server. Since the upgrade to OOD 1.7, bc_desktop connects just tis there with cycling dots across the screen on the noVNC browser tab in Safari 13.1; It works quite well in Firefox 76.0.1 and Chrome 81.0.

Since updates to CentOS, OOD, MacOS and Safari all happened at about the same time, I can’t put a finger on what broke when. Oddly, Cluster Shell access, Jupiter Desktop, and Rstudio Desktops continue to work from Safari.

I’ve reduced this on a fresh Catalina Install on new hardware, as well as on my trusty old upgraded to Catalina 2015 MacBook Pro.

Has anyone else run into safari related connectivity problems?
Ric

We have
undefined method `desktop’ for #BatchConnect::SessionContext:0x0000000003cab9a0

at the moment
nevermind found it here

you need full form and hide with null in atttributes

It appears Apple has made safari near draconian with cross site stuff; the noVNC tab that opens shows errors redirecting to our in-domain SSO app, viz:

[Error] Cross-origin redirection to https://shibboleth.arizona.edu/idp/profile/SAML2/Redirect/SSO;jsessionid=ondbvq9lo3pb15u8enxls91cz?execution=e1s1 denied by Cross-Origin Resource Sharing policy: Origin https://ooddev.hpc.arizona.edu is not allowed by Access-Control-Allow-Origin.

[Error] Cross-origin redirection to https://shibboleth.arizona.edu/idp/profile/SAML2/Redirect/SSO;jsessionid=ondbvq9lo3pb15u8enxls91cz?execution=e1s1 denied by Cross-Origin Resource Sharing policy: Origin https://ooddev.hpc.arizona.edu is not allowed by Access-Control-Allow-Origin.

[Error] Failed to load resource: Cross-origin redirection to https://shibboleth.arizona.edu/idp/profile/SAML2/Redirect/SSO;jsessionid=ondbvq9lo3pb15u8enxls91cz?execution=e1s1 denied by Cross-Origin Resource Sharing policy: Origin https://ooddev.hpc.arizona.edu is not allowed by Access-Control-Allow-Origin. (SSO, line 0)

[Error] TypeError: Cross-origin script load denied by Cross-Origin Resource Sharing policy. promiseReactionJob

Any suggestions on config changes to placate safari?

@azric

What is the value of Access-Control-Allow-Origin on shibboleth.arizona.edu?

Presuming

$ curl -v https://shibboleth.arizona.edu 2>&1 | grep -i origin

is a valid test, nothing containing the “origin” word was found.

Ric

To reiterate the issue, ooddev is redirecting to shibboleth for authentication but a CORS error is being thrown?

OOD gets to shib just fine initially; it has too in order to present the home page. You can submit jobs, etc. Only remote desktop fails when it apparently tries to vet you in the noVNC tab. Opening Safari Web Inspector window in the noVNC tab which is cycling “….” and looking at “Console” shows the error messages.

Ric

image001.png

image002.png

I was able to reproduce this error on our own systems. This appears to be a bug with Safari specifically with the way auth cookies are set. Safari doesn’t like SameSite=None.

I’m digging deeper into this, I will keep you updated

@azric Worked with @jeff.ohrstrom to fix this. The fix will be in release 1.8 but it’s a simple change to vnc.html if you want to get this done before 1.8 is released.

Edit the file ondemand/apps/dashboard/public/noVNC-1.1.0/vnc.html and replace line 79:

<script type="module" crossorigin="anonymous" src="app/ui.js"></script>

with

<script type="module" crossorigin="use-credentials" src="app/ui.js"></script>

Also add nomodule to line 61 in vnc.html:

<script nomodule src="app/error-handler.js"></script>

Confirmed fixed at UArizona with this modification installed

Thanks Much,

Ric

image001.png

image002.png

1 Like

Thank you so much for providing a solution for this - I encountered the same error on Safari 13.1, and the proposed solution worked for me.

1 Like

The fix for this has been released in 1.7.14 so you should only need to update now. Thanks all!