Email thumbnail URL changed to googleusercontent.com in gmail

Question

I have a system whenever user upload an image, it will send an email to the registered user\'s gmail. But in the email, i see something like this, the thumbnail is not viewable.

Answer 1

How does Google Image Proxy work

The Google Image Proxy is a caching proxy server. Every time an image link is included in email the request will go to the Google Image Proxy first to see if it has been cached, if so it should serve it up from the proxy or it will go fetch it and cache it there after.

The solution for most issues

The Google Image Proxy server will fetch your images if this images:

• have extensions like .png, .jpg/.jpeg or .gif only. May be .webp too. But not .svg.
• do not use any kind of query string part in the image URL like ?id=123
• have an URL which is mapped onto the image directly.
• have not a long name.

Requirements for image server:

• The response from image server/proxy server must include the correct header like Content-Type: image/jpeg.
• File extension and content-type header must be in the same type.
• Status code in server response must be 200 instead of 403, 500 and etc.

---

What could help too?

Google support answer:

Set up an image URL proxy whitelist

When your users open email messages, Gmail uses Google’s secure proxy servers to serve images that might be included in these messages. This protects your users and domain against image-based security vulnerabilities.

Because of the image proxy, links to images that are dependent on internal IPs and sometimes cookies are broken. The Image URL proxy whitelist setting lets you avoid broken links to images by creating and maintaining a whitelist of internal URLs that'll bypass proxy protection.

When you configure the Image URL proxy whitelist, you can specify a set of domains and a path prefix that can be used to specify large groups of URLs. See the guidelines below for examples.

Configure the Image URL proxy whitelist setting:

• Sign in to your Google Admin console. Sign in using your administrator account (does not end in @gmail.com).
• From the Admin console Home page, go to Apps > G Suite > Gmail > Advanced settings. Tip: To see Advanced settings, scroll to the bottom of the Gmail page.
• On the left, select your top-level organization.
• Scroll to the Image URL proxy whitelist section.
• Enter image URL proxy whitelist patterns. Matching URLs will bypass image proxy protection. See the guidelines below for more details and instructions.
• At the bottom, click Save.

It can take up to an hour for changes to propagate to user accounts. You can track prior changes under Admin console audit log.

Guidelines for applying the Image URL proxy whitelist setting

Security considerations

Consult with your security team before configuring the Image URL proxy whitelist setting. The decision to bypass image proxy whitelist protection can expose your users and domain to security risks if not used with care.

In general, if you have a domain that needs authentication via cookie, and if that domain is controlled by an administrator within your organization and is completely trusted, then whitelisting that URL should not expose your domain to image-based attacks.

Important: Disabling the image proxy is not recommended. This option is available to provide flexibility for administrators, but disabling the image proxy can leave your users vulnerable to malicious attacks.

Entering Image URL patterns

To maintain a whitelist of internal URLs that'll bypass proxy protection, enter the image URL patterns in the Image URL proxy whitelist setting. Matching URLs will bypass the image proxy.

A pattern can contain the scheme, the domain, and a path. The pattern must always have a forward slash (/) present between the domain and path. If the URL pattern specifies a scheme, then the scheme and the domain must fully match. Otherwise, the domain can partially match the URL suffix. For example, the pattern google.com matches www.google.com, but not gle.com. The URL pattern can specify a path that's matched against the path prefix.

Important: Enter your actual domain name as you enter the image URL pattern. Always include a trailing forward slash (/) after the domain name.

Examples of Image URL patterns

The following patterns are examples only. The following patterns:

http://rule_fixed_scheme_domain.com/
rule_flex_scheme_domain.com/
rule_fixed_subpath.com/cgi-bin/

... will match the following URLs:

http://rule_fixed_scheme_domain.com/
http://rule_fixed_scheme_domain.com/test.jpg?foo=bar#frag
http://rule_fixed_scheme_domain.com
rule_flex_scheme_domain.com/
t.rule_flex_scheme_domain.com/test.jpg
http://t.rule_flex_scheme_domain.com/test.jpg
https://t.rule_flex_scheme_domain.com/test.jpg
http://rule_fixed_subpath.com/cgi-bin/
http://rule_fixed_subpath.com/cgi-bin/people

Note: The URL scheme (http://) is optional. If the scheme is omitted, the pattern can match any scheme, and allows partial matches on the domain suffix.

Previewing the image URL patterns

Click Preview to see if the URLs match the image URL patterns you've set. If the image URL matches a pattern, you'll see a confirmation message. If the image URL does not match, an error message appears.

Answer 2

Bharata has a great and detailed answer on this, but just wanted to add one addition that I identified with a similar issue.

We had a x-webkit-csp content security header that turned out to be the culprit. Removing it and all worked through the image proxy.

Google's response was that x-webkit-csp is deprecated and to use the Content-Security-Policy header instead. However this seems like a bug that an unsupported header throws a fatal error rather than simply ignoring it.