Safari only bug: 'script-src' contains an invalid source: ''strict-dynamic''. It will be ignored.

[mesqueeb]

Dear GAPI team. I have a security bug only on Safari. Right in between loading and initialising GAPI I get these:

[Error] The source list for Content Security Policy directive 'script-src' contains an invalid source: ''strict-dynamic''. It will be ignored. [Error] Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.

[TMSCH]

What version of Safari do you use?

[mesqueeb]

@TMSCH 11.0.3 (13604.5.6)

[TMSCH]

I can indeed see the message regarding strict-dynamic. It seems that Safari doesn't support this CSP directive. It doesn't seem to prevent the library to work though, so it's indeed low priority. Thanks for the report!

[EnVy28]

Yo! I have the same problem, tested in Safari 9.

@TMSCH said that it does not prevent the library to work, but somehow the sign out thingy is not working... I don't know if the error causes it or not though. Everytime I run my signout function it just reloads the page and not signing out.

var auth2 = gapi.auth2.getAuthInstance(); auth2.signOut().then(function () { console.log('User signed out.'); /* AJAX (Delete site session) */ }); auth2.disconnect();

PS: It works on Chrome, IE 11, EDGE (All latest ver as of now)

[TMSCH]

@EnVy28 are you only observing the error mentioned in the first comment? Why are you disconnecting the user too? You should remove that call.

[EnVy28]

@TMSCH It's my first time using Google's SSO so I just followed the basic example written in the docs which is, exactly like the above code I posted except, there is no auth2.disconnect();.

But without auth2.disconnect();, somehow my application won't signout, it just redirects to the main page, even though I delete the users session in my app.

It's all good though, I stopped using MacOS since Lion so I didn't know that Safari 9 and 10 support are over so we just stopped supporting that too.

Currently there are no problems with Safari 11 so far, so it's all good...

[StonehengeCreations]

I get the same error on the latest version of Mas OSX with the latest version of Safari. So it appears to have not been solved.

[gp-birender]

yes this is happening in latest version of Mac safari

[ramiljoaquin-ubidy]

What is the solution for this issue? We get the same error as well.

[abel672]

Hi, I am having this issue using the Google People API to the the gmail contacts. Basically is throwing it when my code try to open the google api popup to signing with gmail. It doesn't open it by the way.

This is the code:

// Signin process (init client)
        gapi.load('client:auth2', () => {

            gapi.client.init({
                apiKey: 'API_KEY',
                discoveryDocs: ['https://people.googleapis.com/$discovery/rest?version=v1'],
                clientId: 'CLIENT_KEY.apps.googleusercontent.com',
                scope: 'profile email https://www.googleapis.com/auth/contacts.readonly'
            }).then((data) => {

                // Signin with auth2 process (authentication from google)
                gapi.auth2.getAuthInstance().signIn()
                    .then((data) => {

                        console.log('data', data);
                        let signedin = gapi.auth2.getAuthInstance().isSignedIn.get();

                        // Once signed in, take data
                        if (signedin) {
                            console.log('people', gapi.client);
                            gapi.client.people.people.connections.list({
                                resourceName: 'people/me',
                                personFields: 'emailAddresses,names,phoneNumbers'
                            }).then((data) => {

                                let res = data.result;
                                console.log('data', res);
                                let phonesNumbers = res.connections;
                                let pageToken = res.nextPageToken;

                                // Displaying contacts
                                this.addContacts(phonesNumbers);

                                // NextPageToken
                                if (pageToken) {
                                    this.getMoreContacts(pageToken);
                                } else {
                                    this.showContacts();
                                }
                            }).catch((err) => {
                                console.log('err', err);
                            });
                        }
                        console.log('signedin', signedin);
                    }).catch((err) => {
                        console.log('Err', err);
                    });
            });
        });

This is the error that is throwing Safari.

[mesqueeb]

@abel672 Are you sure you don't have an Adblock on? These usually block these. In that case you should catch this specific error and display a message to the user asking to disable the adblock extension.

[akashzcoder]

I had the same issue, after disabling the adblocker, it started to work! Just curious, what does it have to do with the adblocker?

[mesqueeb]

@akashzcoder The browser thinks the login popup is an advertisement lol... That's either some bad coding by the AdBlock devs or I don't know if the Google Api Client can do anything to prevent such things.

[gp-birender]

I had the same issue but its working now, I have posted the serialized form and remove other ajax parameters. very strange!!!

[dohsimpson]

I have the same problem :(

For me, disabling ad blocker (ublock origin) doesn't work, but turning on incognito mode works.

[kolnogorov]

Did anybody solve an Original Poster's bug? Is there any solution for this?

[abel672]

I solved it in this way thanks to a friend. Open Safari and go to 'Preferences' Go to 'Security' window and disable 'Block pop-up windows'.

Hope that It can help.

[dohsimpson]

I get the following error in my Safari console after opening google.com for a few seconds. This causes the input prompt to lose focus, which is very annoying due to how often I use google.

After some digging, I realized that when the widget script for notification.google.com tries to execute, it will cause the error.

Solution: I added the following rule in my ad blocker (uBlock origin for Safari) to block the widget from loading.

www.google.com https://notifications.google.com/u/0/widget sub_frame block

UPDATE: 2019-01-10

www.google.com https://notifications.google.com/u/0/widget * block

Hope this helps someone.

[markhougaard]

For what it's worth, this is still an issue in Safari 12.0 (14606.1.22.2 - macOS Mojave 10.14 Beta (18A326g)), without an adblocker installed.

[mesqueeb]

@marksdk To me that's worth a lot. Thanks!! : )

[liquidvisual]

Thanks Safari!

[markhougaard]

I kept looking into this issue for a while, and I ran into a lot of trouble with Chrome adhering to CSP v3 and Safari still adhering to CSP v2: https://www.chromestatus.com/features/5633814718054400. In short, nonce- or hash-based whitelists will be a requirement at some point, but right now the major browsers just interpret the same whitelists differently ¯_(ツ)_/¯

That might help some of you narrow down the search when looking for an answer to CSP troubles.

[emolr]

I have scratched my head for a while but finally made it work for me.

Instead of having <script src="https://apis.google.com/js/platform.js"></script> in my index.html, I'm appending it to <head> using Javascript.

const scriptNode = document.createElement('script');
scriptNode.src = this.gapiUrl;
scriptNode.type = 'text/javascript';
scriptNode.charset = 'utf-8';
document.getElementsByTagName('head')[0].appendChild(scriptNode);

I still get the error in safari console, but the Google API now works and I can log in users in safari even though it feels like the hackiest thing since targeting specific browser versions via CSS selectors.

Please let me know if there's a better solution.

[tom-b-wright]

I am getting this error when accessing a site from Safari 12 having reCaptcha V3 enabled on it. The reCaptcha script loads this URL: https://www.google.com/recaptcha/api2/anchor By simply issuing an HTTP GET request to that URL (no params needed), we get back the following HTTP header from the server: Content-Security-Policy: script-src 'nonce-guXj7w7oWwUuGz/RZw2vXUoxt7E' 'unsafe-inline' 'strict-dynamic' https: http: 'unsafe-eval';object-src 'none';base-uri 'self';report-uri https://csp.withgoogle.com/csp/recaptcha/1

The HTTP header contains this 'strict-dynamic' option and that causes Safari to write many error messages to the console. The code works but these error messages are annoying.

Safari has Content Security Policy 2 and the 'strict-dynamic' option is introduced in CSP 3. CSP 3 is 'Working Draft', CSP 2 is 'Recommendation'.

[jeanpaul1304]

I have the same error, when my app uses google recaptcha in safari

[oprearocks]

I have the same error, when my app uses google recaptcha in safari

Same thing here. Using ReCaptcha on Safari makes it freeze.

[therealcaii]

Getting the same error here using Invisible reCaptcha v2

[matviishyn]

Same error, using reCaptcha v2

[ghost]

Found the solution on SO. You have to trigger the popup in response to a click. There is no alternative and there likely never will be unless Google cracks Safari's popup blocker.

@abel672 thank you for informing us of the cause, it helped find the answer.

[hoathai]

To add another set of scenarios to this issue for tracking, my main domain works but this issue exist on a subdomain on Safari and Safari Technology Review 12.1. Interestingly, Safari on iOS can log into the same subdomain that desktop is unable to sign into.¯_(ツ)_/¯

[yuruxuan]

The same error, but it appear today first time : ( Safari 11.1.2

[anishkny]

I am seeing this in http://console.firebase.google.com on Safari. The console fails to load 😢

[yuruxuan]

I am seeing this in http://console.firebase.google.com on Safari. The console fails to load 😢

I found just http://console.firebase.google.com can not load. You can visit your project page directly, like https://console.firebase.google.com/project/your_project_id/overview

[anishkny]

Update: http://console.firebase.google.com/ started working for me earlier this week. No changes to Safari still Version 11.0.3 (13604.5.6). macOS High Sierra 10.13.3.

[tjkohli]

I still have this error using Google reCaptcha on Safari 12.0.2.

[harshadduasane]

Hello, i am also facing same issue. tried almost all solution provided above but no success.

Any one found solution? please help

[surger]

Also have a troubleshooting with google recaptcha on Safari

[saramoran]

Hi, I also have this problem using Recaptcha (2 or 3, I tried both) on Safari 12.0.3.

[umpc]

"It doesn't seem to prevent the library to work"

But it creates false alarms on production sites that use APM tools.

The actual error messages are hidden by default, due to crossorigin rules, so I only found out that this was the cause after real-device testing.

Any fix for this issue on ReCAPTCHA would be greatly appreciated.

[Lozik]

I can confirm that issue. I'm on Safari 12.0.3 on MacOs 10.13.6. No addblockers installed. Is Recaptcha even using this client? It does not figure in the listing of the README.

Even on the Google Recaptcha demo page, the error is present. See screenshots.

This is extremely painful for users using Safari.

[ghost]

Not every browser, even their respective latest versions, supports every CSP directive. Period. EDIT: Google is Google IS EVIL. Get over it. They're in full control of the browser maret ever since Microsoft bowed to them and began using Goggle's web engine instead of the one they develeoped in-house and used in various incarnations ever since IE was born. Now Edge exists yet it too stopped using Microsoft devs and instead now licks the boots of Google by using Chromium as its base.

[cleathersden]

sooo... there's no solution ?

[cleathersden]

Try adding "localhost" to the recaptcha list of domains.

[grant]

Hi all, I believe this issue is due to Safari being a browser without CSP 3.0 compliance and thus will ignore strict-dynamic.

Here's an example site you can view to see compliance: https://csp-experiments.appspot.com/strict-dynamic

Related tracking issue: https://github.com/Fyrd/caniuse/issues/2315

Progress on this issue is blocked by that Safari support.

[powolnymarcel]

Hi,

I had the same problem, I added a nonce attr to my script tag and my project is working on Safari... var scriptElement = document.createElement('script'); scriptElement.nonce = 'this_is_my_nonce'; scriptElement.setAttribute('recaptcha-v3-script', ''); var scriptBase = 'https://www.google.com/recaptcha/api.js';

[PhamLeHai]

For my case, even after loading the api.js by javascript successfully, once it tries to reloadAuthResponse(), it will receive an error 'userLoggedOut', I can not find any document/hint about the error.

Suddenly, after I changed the UX mode of the .signIn() function from 'redirect' to default (popup), there are still errors on the console, but magically, the script can load and users can log in normally.

I still don't understand the reason, since the code of the auth2 module is converted and hard to read on the browser. I can only guess that the redirect request (after login) failed to update some cookies, so the redirected page can not authenticate with Google, this does not happen in popup mode because the page is not redirected?

Anyway, it seems working. Hope this can help others. Please let me know if there is any way to dig deeper about this issue.

[tvb]

I got the same problem at MacOS 10.15.2 (19C57) and Safari Version 13.0.4 (15608.4.9.1.3).

[morscad]

Hi All

We have the same issue making calls to the google reaptcha v3 API from a web application (React + Gatsby) which is loaded in a react-native webview on iOS.

Safari on desktop (MacOS 10.15.2) allows the call to pass but with lots of warnings, but react-native-webview on iOS blocks the call entirely. the same code works fine on Android, and on Chrome and Firefox on desktop.

anyone had any breakthroughs in making this happen?

[mamallama]

Is there a solution to this? Having the same issue, no popup blocker, MacOS 10.15.2, Safari version 13.0.4, only error: "The source list for Content Security Policy directive 'script-src' contains an invalid source: ''strict-dynamic''. It will be ignored."

It's keeping me from submitting a form.

[paulbeard]

Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.

is also showing on GMail's web UI. The old 2004 vintage/low or slow bandwidth version works fine, but the new Standard view doesn't load. It's been balking for a few days, but now just fails.