I am serving google ads on an SSL site successfully, with CORS headers set properly (and wide open) by rack-cors
as:
Rails.configuration.middleware.insert_before 0, Rack::Cors do
allow do
origins '*'
resource '*', headers: :any, methods: :any
end
end
I can confirm that the headers are there with a curl call:
$ curl -I https://viewing.nyc -H "Origin: https://foobar.com"
...
Access-Control-Allow-Origin: https://foobar.com
Access-Control-Allow-Methods: GET, HEAD, POST, PUT, PATCH, DELETE, OPTIONS
Access-Control-Max-Age: 1728000
...
If you visit in Chrome or Firefox, there are no cross-site scripting errors in the console, yet on Safari, there are thousands.
Blocked a frame with origin "https://googleads.g.doubleclick.net" from accessing a frame with origin "https://viewing.nyc". Protocols, domains, and ports must match.
Live example
I've poured through the rack-cors
issues page with no solution working thus far. Why is this happening only on Safari, and how can I fix it?
I think adding content-security-policy headers should help you.
add_header Content-Security-Policy: script-src 'self' https://googleads.g.doubleclick.net
Read More Here:-
https://developers.google.com/web/fundamentals/security/csp/
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With