Igor Kromin |   Consultant. Coder. Blogger. Tinkerer. Gamer.

This issue started some time around the 2nd of August 2017. My GSuite Gmail started rendering like this...

Update (5 August 2017) - Google has finally addressed this issue and G Suite Gmail is loading properly again. How did they do it? They removed the Content-Security-Policy header and replaced it with Content-Security-Policy-Report-Only header. This means that CSP is effectively not being enforced in Gmail any more.

If you're interested in the details of my analysis of this error, continue reading...

Opening up the JavaScript console in the Safari's Develop menu showed a number of errors that were to do with the Content Security Policy.

Here's the text for the above errors...
[Error] The source list for Content Security Policy directive 'script-src' contains an invalid source: ''strict-dynamic''. It will be ignored. (x9)
[Error] Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy. (1, line 0)

I looked further into this and saw that G Suite Gmail was indeed using CSP by setting a nonce value in the <script> element like this...

The HTTP headers however contained the correct nonce value in the Content-Security-Policy header...

This was the actual text for the header...
script-src 'nonce-249DWm/bcu/nNabjU5cbVoVeo9M' 'strict-dynamic' 'unsafe-eval' 'unsafe-inline' https:;object-src https://mail-attachment.googleusercontent.com/swfs/im/chatsound.swf https://mail-attachment.googleusercontent.com/swfs/audio.swf https://mail.gstatic.com/tpl/;base-uri 'self';report-uri https://mail.google.com/mail/cspreport

This is what I believe is going wrong - the nonce appears in this part of the CSP...
script-src 'nonce-249DWm/bcu/nNabjU5cbVoVeo9M' 'strict-dynamic' 'unsafe-eval' 'unsafe-inline' https:;

...however Safari is complaining about this - directive 'script-src' contains an invalid source: ''strict-dynamic''. So the entire script-src line is being ignored, including the valid and correct nonce!

This causes the Gmail interface to bomb out since the very first script is being blocked from being executed.

Interestingly though, the free Gmail (as in not the paid G Suite version) DOES NOT send the nonce as part of the script...

I am guessing that Google implemented this new security feature without fully testing it and hence this issue is being seen now. The only solution to get G Suite Gmail working at the moment is to use the simple HTML version as documented here.

I hope that Google will apply refunds for the outage caused as a result of this.


Please leave your comments or feedback below!
comments powered by Disqus
Other posts you may like...
Hi! You can search my blog here ⤵
Or browse the recent top tags...

Recent Blog Posts

How to stop macOS adding shadows to window screenshots

How to run Atari Lynx games on the SNES Classic Mini

Maven dependency scopes with relation to WAR file packaging and the WEB-INF/lib directory

Hacking the Sonoff B1 WiFi LED bulb to run custom firmware

What does an idle WebLogic server run on the hour to cause a CPU spike

How to open the Sonoff B1 wifi LED bulb to access its internal circuitry

Australian release SNES mini classic unboxing and a quick play through

Troubleshooting high CPU usage for JVM threads

How to fix WebLogic high CPU usage due to a corrupted file store

Mini review of the Sonoff B1 WiFi light bulb

Recent Galleries

Atari Lynx repair - Part 5 - McWill LED screen mod installation

Atari Lynx repair - Part 4 - screen cover replacement

Atari Lynx repair - Part 2 - re-capping the motherboard

Atari Lynx repair - Part 3 - broken speaker replacement

Atari Lynx repair - Part 1 - introduction and case disassembly

Building a custom Atari Lynx game box storage shelf unit in a day

Protecting old Atari Lynx game boxes with snug fit plastic sleeves

Monument Valley 2 is released and does not disappoint

Space Food - Chocolate Ice Cream with Chocolate Chips

Legeod Star Wars AT-DP kit

Blogs and Friends

Matt Moores Blog
Georgi's FlatPress Guide
Perplexing Permutations
The Security Sleuth
Ilia Rogatchevski
Travelling Fairy

Blog Activity

Blog Activity