Igor Kromin |   Consultant. Coder. Blogger. Tinkerer. Gamer.

This issue started some time around the 2nd of August 2017. My GSuite Gmail started rendering like this...

Update (5 August 2017) - Google has finally addressed this issue and G Suite Gmail is loading properly again. How did they do it? They removed the Content-Security-Policy header and replaced it with Content-Security-Policy-Report-Only header. This means that CSP is effectively not being enforced in Gmail any more.

If you're interested in the details of my analysis of this error, continue reading...

Opening up the JavaScript console in the Safari's Develop menu showed a number of errors that were to do with the Content Security Policy.

Here's the text for the above errors...
[Error] The source list for Content Security Policy directive 'script-src' contains an invalid source: ''strict-dynamic''. It will be ignored. (x9)
[Error] Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy. (1, line 0)

I looked further into this and saw that G Suite Gmail was indeed using CSP by setting a nonce value in the <script> element like this...

The HTTP headers however contained the correct nonce value in the Content-Security-Policy header...

This was the actual text for the header...
script-src 'nonce-249DWm/bcu/nNabjU5cbVoVeo9M' 'strict-dynamic' 'unsafe-eval' 'unsafe-inline' https:;object-src https://mail-attachment.googleusercontent.com/swfs/im/chatsound.swf https://mail-attachment.googleusercontent.com/swfs/audio.swf https://mail.gstatic.com/tpl/;base-uri 'self';report-uri https://mail.google.com/mail/cspreport

This is what I believe is going wrong - the nonce appears in this part of the CSP...
script-src 'nonce-249DWm/bcu/nNabjU5cbVoVeo9M' 'strict-dynamic' 'unsafe-eval' 'unsafe-inline' https:;

...however Safari is complaining about this - directive 'script-src' contains an invalid source: ''strict-dynamic''. So the entire script-src line is being ignored, including the valid and correct nonce!

This causes the Gmail interface to bomb out since the very first script is being blocked from being executed.

Interestingly though, the free Gmail (as in not the paid G Suite version) DOES NOT send the nonce as part of the script...

I am guessing that Google implemented this new security feature without fully testing it and hence this issue is being seen now. The only solution to get G Suite Gmail working at the moment is to use the simple HTML version as documented here.

I hope that Google will apply refunds for the outage caused as a result of this.


Did you like this post or found it useful? Considering supporting this Blog to keep its web servers running, any amount helps! Thanks!
Have comments or feedback on what I wrote? Please share them below!
comments powered by Disqus
Other posts you may like...