Igor Kromin |   Consultant. Coder. Blogger. Tinkerer. Gamer.

This issue started some time around the 2nd of August 2017. My GSuite Gmail started rendering like this...
gmail_csp5.png


Update (5 August 2017) - Google has finally addressed this issue and G Suite Gmail is loading properly again. How did they do it? They removed the Content-Security-Policy header and replaced it with Content-Security-Policy-Report-Only header. This means that CSP is effectively not being enforced in Gmail any more.
gmail_csp6.png


If you're interested in the details of my analysis of this error, continue reading...

Opening up the JavaScript console in the Safari's Develop menu showed a number of errors that were to do with the Content Security Policy.
gmail_csp4.png


Here's the text for the above errors...
[Error] The source list for Content Security Policy directive 'script-src' contains an invalid source: ''strict-dynamic''. It will be ignored. (x9)
[Error] Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy. (1, line 0)


I looked further into this and saw that G Suite Gmail was indeed using CSP by setting a nonce value in the <script> element like this...
gmail_csp1.png


The HTTP headers however contained the correct nonce value in the Content-Security-Policy header...
gmail_csp2.png


This was the actual text for the header...
script-src 'nonce-249DWm/bcu/nNabjU5cbVoVeo9M' 'strict-dynamic' 'unsafe-eval' 'unsafe-inline' https:;object-src https://mail-attachment.googleusercontent.com/swfs/im/chatsound.swf https://mail-attachment.googleusercontent.com/swfs/audio.swf https://mail.gstatic.com/tpl/;base-uri 'self';report-uri https://mail.google.com/mail/cspreport




This is what I believe is going wrong - the nonce appears in this part of the CSP...
script-src 'nonce-249DWm/bcu/nNabjU5cbVoVeo9M' 'strict-dynamic' 'unsafe-eval' 'unsafe-inline' https:;


...however Safari is complaining about this - directive 'script-src' contains an invalid source: ''strict-dynamic''. So the entire script-src line is being ignored, including the valid and correct nonce!

This causes the Gmail interface to bomb out since the very first script is being blocked from being executed.

Interestingly though, the free Gmail (as in not the paid G Suite version) DOES NOT send the nonce as part of the script...
gmail_csp3.png


I am guessing that Google implemented this new security feature without fully testing it and hence this issue is being seen now. The only solution to get G Suite Gmail working at the moment is to use the simple HTML version as documented here.

I hope that Google will apply refunds for the outage caused as a result of this.

-i

Please leave your comments or feedback below!
comments powered by Disqus
Other posts you may like...
Hi! You can search my blog here ⤵
Or browse the recent top tags...

Recent Blog Posts

How to remove caked on stickers from old game carts

How to pass parameters to your PHP script via the command line

jPhotoFrame new layout engine explained with examples

Atari Lynx Multi SD Card cartridge review

Jersey JAX-RS filters and interceptors execution order when throwing Exceptions

Why I'll never renew a domain with GoDaddy again

Fake AirPods - HBQ-i7 TWS wireless headset teardown

How to fix Postman error - Failed to import data: format not recognized

Switching out macOS Mail for Microsoft Outlook

Using DeoxIT to repair old game catridges

Recent Galleries

BMB-012 Nanoblock T-Rex Skeleton Model assembly

Tiny Arcade revision 6 kit assembly and decal application

Atari Lynx repair - Part 5 - McWill LED screen mod installation

Atari Lynx repair - Part 4 - screen cover replacement

Atari Lynx repair - Part 2 - re-capping the motherboard

Atari Lynx repair - Part 3 - broken speaker replacement

Atari Lynx repair - Part 1 - introduction and case disassembly

Building a custom Atari Lynx game box storage shelf unit in a day

Protecting old Atari Lynx game boxes with snug fit plastic sleeves

Monument Valley 2 is released and does not disappoint

Blogs and Friends

Matt Moores Blog
Georgi's FlatPress Guide
Perplexing Permutations
The Security Sleuth
Ilia Rogatchevski
Travelling Fairy

Blog Activity

Blog Activity