Igor Kromin |   Consultant. Coder. Blogger. Tinkerer. Gamer.

This issue started some time around the 2nd of August 2017. My GSuite Gmail started rendering like this...
gmail_csp5.png


Update (5 August 2017) - Google has finally addressed this issue and G Suite Gmail is loading properly again. How did they do it? They removed the Content-Security-Policy header and replaced it with Content-Security-Policy-Report-Only header. This means that CSP is effectively not being enforced in Gmail any more.
gmail_csp6.png


If you're interested in the details of my analysis of this error, continue reading...

Opening up the JavaScript console in the Safari's Develop menu showed a number of errors that were to do with the Content Security Policy.
gmail_csp4.png


Here's the text for the above errors...
[Error] The source list for Content Security Policy directive 'script-src' contains an invalid source: ''strict-dynamic''. It will be ignored. (x9)
[Error] Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy. (1, line 0)


I looked further into this and saw that G Suite Gmail was indeed using CSP by setting a nonce value in the <script> element like this...
gmail_csp1.png


The HTTP headers however contained the correct nonce value in the Content-Security-Policy header...
gmail_csp2.png


This was the actual text for the header...
script-src 'nonce-249DWm/bcu/nNabjU5cbVoVeo9M' 'strict-dynamic' 'unsafe-eval' 'unsafe-inline' https:;object-src https://mail-attachment.googleusercontent.com/swfs/im/chatsound.swf https://mail-attachment.googleusercontent.com/swfs/audio.swf https://mail.gstatic.com/tpl/;base-uri 'self';report-uri https://mail.google.com/mail/cspreport




This is what I believe is going wrong - the nonce appears in this part of the CSP...
script-src 'nonce-249DWm/bcu/nNabjU5cbVoVeo9M' 'strict-dynamic' 'unsafe-eval' 'unsafe-inline' https:;


...however Safari is complaining about this - directive 'script-src' contains an invalid source: ''strict-dynamic''. So the entire script-src line is being ignored, including the valid and correct nonce!

This causes the Gmail interface to bomb out since the very first script is being blocked from being executed.

Interestingly though, the free Gmail (as in not the paid G Suite version) DOES NOT send the nonce as part of the script...
gmail_csp3.png


I am guessing that Google implemented this new security feature without fully testing it and hence this issue is being seen now. The only solution to get G Suite Gmail working at the moment is to use the simple HTML version as documented here.

I hope that Google will apply refunds for the outage caused as a result of this.

-i

A quick disclaimer...

Although I put in a great effort into researching all the topics I cover, mistakes can happen. Use of any information from my blog posts should be at own risk and I do not hold any liability towards any information misuse or damages caused by following any of my posts.

All content and opinions expressed on this Blog are my own and do not represent the opinions of my employer (Oracle). Use of any information contained in this blog post/article is subject to this disclaimer.
, , , ,
Hi! You can search my blog here ⤵
NOTE: (2022) This Blog is no longer maintained and I will not be answering any emails or comments.

I am now focusing on Atari Gamer.
© 2012 - 2022 IgorKromin.net — Terms & Conditions | Privacy Policy