Safari only bug: 'script-src' contains an invalid source: ''strict-dynamic''. It will be ignored.

[mesqueeb]

Dear GAPI team.
I have a security bug only on Safari.
Right in between loading and initialising GAPI I get these:

[Error] The source list for Content Security Policy directive 'script-src' contains an invalid source: ''strict-dynamic''. It will be ignored.
[Error] Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.

[TMSCH]

What version of Safari do you use?

[mesqueeb]

@TMSCH 11.0.3 (13604.5.6)

[TMSCH]

I can indeed see the message regarding strict-dynamic. It seems that Safari doesn't support this CSP directive. It doesn't seem to prevent the library to work though, so it's indeed low priority.
Thanks for the report!

[EnVy28]

Yo! I have the same problem, tested in Safari 9.

@TMSCH said that it does not prevent the library to work, but somehow the sign out thingy is not working... I don't know if the error causes it or not though. Everytime I run my signout function it just reloads the page and not signing out.

var auth2 = gapi.auth2.getAuthInstance(); auth2.signOut().then(function () { console.log('User signed out.'); /* AJAX (Delete site session) */ }); auth2.disconnect();

PS: It works on Chrome, IE 11, EDGE (All latest ver as of now)

[TMSCH]

@EnVy28 are you only observing the error mentioned in the first comment? Why are you disconnecting the user too? You should remove that call.

[EnVy28]

@TMSCH It's my first time using Google's SSO so I just followed the basic example written in the docs which is, exactly like the above code I posted except, there is no auth2.disconnect();.

But without auth2.disconnect();, somehow my application won't signout, it just redirects to the main page, even though I delete the users session in my app.

It's all good though, I stopped using MacOS since Lion so I didn't know that Safari 9 and 10 support are over so we just stopped supporting that too.

Currently there are no problems with Safari 11 so far, so it's all good...

[StonehengeCreations]

I get the same error on the latest version of Mas OSX with the latest version of Safari. So it appears to have not been solved.

[gp-birender]

yes this is happening in latest version of Mac safari

[ramiljoaquin-ubidy]

What is the solution for this issue? We get the same error as well.

[abel672]

Hi, I am having this issue using the Google People API to the the gmail contacts.
Basically is throwing it when my code try to open the google api popup to signing with gmail. It doesn't open it by the way.

This is the code:

// Signin process (init client)
        gapi.load('client:auth2', () => {

            gapi.client.init({
                apiKey: 'API_KEY',
                discoveryDocs: ['https://people.googleapis.com/$discovery/rest?version=v1'],
                clientId: 'CLIENT_KEY.apps.googleusercontent.com',
                scope: 'profile email https://www.googleapis.com/auth/contacts.readonly'
            }).then((data) => {

                // Signin with auth2 process (authentication from google)
                gapi.auth2.getAuthInstance().signIn()
                    .then((data) => {

                        console.log('data', data);
                        let signedin = gapi.auth2.getAuthInstance().isSignedIn.get();

                        // Once signed in, take data
                        if (signedin) {
                            console.log('people', gapi.client);
                            gapi.client.people.people.connections.list({
                                resourceName: 'people/me',
                                personFields: 'emailAddresses,names,phoneNumbers'
                            }).then((data) => {

                                let res = data.result;
                                console.log('data', res);
                                let phonesNumbers = res.connections;
                                let pageToken = res.nextPageToken;

                                // Displaying contacts
                                this.addContacts(phonesNumbers);

                                // NextPageToken
                                if (pageToken) {
                                    this.getMoreContacts(pageToken);
                                } else {
                                    this.showContacts();
                                }
                            }).catch((err) => {
                                console.log('err', err);
                            });
                        }
                        console.log('signedin', signedin);
                    }).catch((err) => {
                        console.log('Err', err);
                    });
            });
        });

This is the error that is throwing Safari.

[mesqueeb]

@abel672 Are you sure you don't have an Adblock on? These usually block these.
In that case you should catch this specific error and display a message to the user asking to disable the adblock extension.

[akashzcoder]

I had the same issue, after disabling the adblocker, it started to work! Just curious, what does it have to do with the adblocker?

[mesqueeb]

@akashzcoder The browser thinks the login popup is an advertisement lol... That's either some bad coding by the AdBlock devs or I don't know if the Google Api Client can do anything to prevent such things.

[gp-birender]

I had the same issue but its working now, I have posted the serialized form and remove other ajax parameters. very strange!!!

[dohsimpson]

I have the same problem :(

For me, disabling ad blocker (ublock origin) doesn't work, but turning on incognito mode works.