27

I am serving google ads on an SSL site successfully, with CORS headers set properly (and wide open) by rack-cors as:

Rails.configuration.middleware.insert_before 0, Rack::Cors do
  allow do
    origins  '*'
    resource '*', headers: :any, methods: :any
  end
end

I can confirm that the headers are there with a curl call:

$ curl -I https://viewing.nyc -H "Origin: https://foobar.com"
...
Access-Control-Allow-Origin: https://foobar.com
Access-Control-Allow-Methods: GET, HEAD, POST, PUT, PATCH, DELETE, OPTIONS
Access-Control-Max-Age: 1728000
...

If you visit in Chrome or Firefox, there are no cross-site scripting errors in the console, yet on Safari, there are thousands.

Blocked a frame with origin "https://googleads.g.doubleclick.net" from accessing a frame with origin "https://viewing.nyc". Protocols, domains, and ports must match.

Live example

I've poured through the rack-cors issues page with no solution working thus far. Why is this happening only on Safari, and how can I fix it?

sideshowbarker
  • 81,827
  • 26
  • 193
  • 197
coneybeare
  • 33,113
  • 21
  • 131
  • 183
  • As an added bonus, I will also award a 500 bounty on this similar question from 2 years ago, http://stackoverflow.com/questions/26858447/ssl-custom-tlds-crossdomain-xml-and-adsense-can-they-play-nicely, and award it to the bounty hunter of this question, if solved. – coneybeare Nov 07 '16 at 12:46
  • Just to be sure, are you using Sierra with the latest Safari version ? – Marcs Nov 08 '16 at 17:14
  • yes, sierra with latest, though the problem has persisted for years: http://stackoverflow.com/questions/26858447/ssl-custom-tlds-crossdomain-xml-and-adsense-can-they-play-nicely – coneybeare Nov 08 '16 at 18:47
  • @coneybeare, [this answer](http://stackoverflow.com/a/2542166/3863146) on SO explains why the console error messages appear. – Sahil Nov 09 '16 at 04:31
  • I've seen that, but it's from 2010 – coneybeare Nov 09 '16 at 15:11
  • I checked a little what happens on Safari. I modified some HTTP responses with [mitmproxy](https://mitmproxy.org/). You can create a Python script and feed it to mitmproxy to replace headers on the fly. I messed up a little with CSP, adding `Content-Security-Policy`, `X-Content-Security-Policy` and `X-WebKit-CSP` to the response, but without success. I also checked briefly on chrome and I have a couple of error messages in the console: `net::ERR_NAME_NOT_RESOLVED` related to advertisement scripts. – Marcs Nov 09 '16 at 17:43
  • I did try a generous CSP without success too: http://cloud.coneybeare.me/i1YN – coneybeare Nov 09 '16 at 18:18

2 Answers2

1

I think adding content-security-policy headers should help you. 

add_header Content-Security-Policy: script-src 'self' https://googleads.g.doubleclick.net

Read More Here:-

https://developers.google.com/web/fundamentals/security/csp/

Samay
  • 465
  • 6
  • 19
-1

This topic (the last answer) states that it should work despite errors. Safari is sensitive to such differences. https://groups.google.com/forum/#!topic/ima-sdk/AxE9vZith00

skippable ads are not supported on iPhone devices and that's why you are experiencing issues with ad playback. I'd suggest adding additional mimeTypes to your tag in order to support use cases across all devices.

As for the error that you originally were experiencing, "Blocked a frame with origin "http://imasdk.googleapis.com" from accessing a frame with origin "http://xxx.xxx.xxx.xxx". Protocols, domains, and ports must match.", we have seen this error before and as you stated it should not affect ad playback. The explanation of this error is a same-origin policy restriction that is disallowing one domain from accessing resources from a different domain. It is blocking Cross-Origin Resources from being shared. You can update your CORS headers, as outlined in our documentation, to allow cross-origin sharing.

Anton Zorin
  • 371
  • 2
  • 13
  • 2
    Well, yes, this is the question. I have updated my CORS headers as shown above, but am still seeing the issue. This answer just rephrases my question. Ads work, but asking me to simply ignore these 1000's of errors is not an acceptable solution. – coneybeare Nov 08 '16 at 18:50