Google Adsense, CORS and Rails in Safari dumps thousands of console errors

Question

I am serving google ads on an SSL site successfully, with CORS headers set properly (and wide open) by rack-cors as:

Rails.configuration.middleware.insert_before 0, Rack::Cors do
  allow do
    origins  '*'
    resource '*', headers: :any, methods: :any
  end
end

I can confirm that the headers are there with a curl call:

$ curl -I https://viewing.nyc -H "Origin: https://foobar.com"
...
Access-Control-Allow-Origin: https://foobar.com
Access-Control-Allow-Methods: GET, HEAD, POST, PUT, PATCH, DELETE, OPTIONS
Access-Control-Max-Age: 1728000
...

If you visit in Chrome or Firefox, there are no cross-site scripting errors in the console, yet on Safari, there are thousands.

Blocked a frame with origin "https://googleads.g.doubleclick.net" from accessing a frame with origin "https://viewing.nyc". Protocols, domains, and ports must match.

Live example

I've poured through the rack-cors issues page with no solution working thus far. Why is this happening only on Safari, and how can I fix it?

Answer 1

I think adding content-security-policy headers should help you.

add_header Content-Security-Policy: script-src 'self' https://googleads.g.doubleclick.net

Read More Here:-

https://developers.google.com/web/fundamentals/security/csp/