Igor's Blog
Programming, DIY, Games, Hacks, and Tech

This issue started some time around the 2nd of August 2017. My GSuite Gmail started rendering like this...

Update (5 August 2017) - Google has finally addressed this issue and G Suite Gmail is loading properly again. How did they do it? They removed the Content-Security-Policy header and replaced it with Content-Security-Policy-Report-Only header. This means that CSP is effectively not being enforced in Gmail any more.

If you're interested in the details of my analysis of this error, continue reading...

Opening up the JavaScript console in the Safari's Develop menu showed a number of errors that were to do with the Content Security Policy.

Here's the text for the above errors...
[Error] The source list for Content Security Policy directive 'script-src' contains an invalid source: ''strict-dynamic''. It will be ignored. (x9)
[Error] Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy. (1, line 0)

I looked further into this and saw that G Suite Gmail was indeed using CSP by setting a nonce value in the <script> element like this...

The HTTP headers however contained the correct nonce value in the Content-Security-Policy header...

This was the actual text for the header...
script-src 'nonce-249DWm/bcu/nNabjU5cbVoVeo9M' 'strict-dynamic' 'unsafe-eval' 'unsafe-inline' https:;object-src https://mail-attachment.googleusercontent.com/swfs/im/chatsound.swf https://mail-attachment.googleusercontent.com/swfs/audio.swf https://mail.gstatic.com/tpl/;base-uri 'self';report-uri https://mail.google.com/mail/cspreport

This is what I believe is going wrong - the nonce appears in this part of the CSP...
script-src 'nonce-249DWm/bcu/nNabjU5cbVoVeo9M' 'strict-dynamic' 'unsafe-eval' 'unsafe-inline' https:;

...however Safari is complaining about this - directive 'script-src' contains an invalid source: ''strict-dynamic''. So the entire script-src line is being ignored, including the valid and correct nonce!

This causes the Gmail interface to bomb out since the very first script is being blocked from being executed.

Interestingly though, the free Gmail (as in not the paid G Suite version) DOES NOT send the nonce as part of the script...

I am guessing that Google implemented this new security feature without fully testing it and hence this issue is being seen now. The only solution to get G Suite Gmail working at the moment is to use the simple HTML version as documented here.

I hope that Google will apply refunds for the outage caused as a result of this.


Please leave your comments or feedback below!
comments powered by Disqus
Other posts you may like...

Recent Blog Posts

How to enable the full stack trace in Maven's Surefire plugin for JUnit testing

Twelve elements of the Burst Mining Pool interface explained

TPG FTTB settings for the Billion BiPAC 8700AXL 1600 modem router

Protecting old Atari Lynx game boxes with snug fit plastic sleeves

How to fix SoapUI javax.net.ssl.SSLHandshakeException calling WebLogic 12.2 web services on Java 8

Woolworths (WOW) shares disappeared from Computer Share Investor Centre

Connecting the Dell UltraSharp U3415W monitor to a MacBookPro via USB-C

How to add/change PHP versions appearing in MAMP preferences

Fix the ORA-00904: ORA_ROWSCN: invalid identifier error in SQLDeveloper with a few easy steps

G Suite Gmail is broken on Safari due to new Google Content Security Policy settings

Recent Galleries

Protecting old Atari Lynx game boxes with snug fit plastic sleeves

Monument Valley 2 is released and does not disappoint

Space Food - Chocolate Ice Cream with Chocolate Chips

Legeod Star Wars AT-DP kit

DIY spare parts computer build with a RAIDMAX Anura case

Fake 'Lepin' brand Lego packaging

Hardwood garden bench with clear resin void filler

Fixing a 3D printer extruder that stopped heating up

Easily increase disk space in a Lenovo Ideapad 100S 14" laptop with an M.2 SSD

Making a multi-piece 3D printed solder spool holder stand

My Other Web Sites

Igor and Elise's Travels
Riverside Expressway Cam
300 George St Blogumentary

My Online Tools

UUID to OID Converter
Guru JSON-RPC Tester
Extrudifier Object Designer
Travel ┬ÁBlog

Blogs and Friends

Matt Moores Blog
Georgi's FlatPress Guide
Perplexing Permutations
The Security Sleuth
Ilia Rogatchevski
Travelling Fairy

Blog Activity

Blog Activity
Don't forget to
my Facebook page for more great articles!
Don't show this again