SSL, Custom TLD's, Crossdomain.xml and Adsense. Can they play nicely?

Question

I have a new site I am working on that is using adsense. It is https://viewing.nyc and very much a work in progress. I have some adsense ads displaying on the site already and they work -- ins the sense that they actually display ads -- but they output a ton of garbage in the Safari console.

The message I constantly see is the classic:

Blocked a frame with origin "https://googleads.g.doubleclick.net" from accessing a frame with origin "https://viewing.nyc". Protocols, domains, and ports must match.

So, I have been playing around with it for a few days here and there, googling for solutions and trying to understand how I can get around it. I implemented a crossdomain.xml file with the following:

<?xml version="1.0"?>

<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/crossdomain-policy.dtd">
<cross-domain-policy>
  <allow-access-from domain="*.youtube.com" secure="false"/>

  <allow-access-from domain="*.doubleclick.net" secure="false"/>
  <allow-access-from domain="*.2mdn.net" secure="false"/>
  <allow-access-from domain="*.dartmotif.net" secure="false"/>

  <allow-access-from domain="*.doubleclick.net" secure="true"/>

  <allow-access-from domain="*.doubleclick.com" secure="true"/>
  <allow-access-from domain="*.doubleclick.com" secure="false"/>
  <allow-access-from domain="*.2mdn.net" secure="true"/>
  <allow-access-from domain="*.dartmotif.net" secure="true"/>
  <allow-access-from domain="*.gstatic.com" secure="false"/>
</cross-domain-policy>

but no success. Does the problem stem from me having a .nyc top level domain and the adsense sites having .com? Is there a way around these errors?

Answer 1

Your website output the following headers.

X-Permitted-Cross-Domain-Policies: none
X-XSS-Protection: 1; mode=block
X-Request-Id: 86d0d6f2-eba5-46b2-b6cf-9ce77fc1f16e
X-Download-Options: noopen
X-Runtime: 0.955425
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Content-Security-Policy: default-src 'none'; base-uri 'self'; block-all-mixed-content; child-src 'self'; connect-src 'self' viewing.nyc *.viewing.nyc cdn.jsdelivr.net csi.gstatic.com pagead2.googlesyndication.com; font-src 'self' viewing.nyc *.viewing.nyc *.viewingnyc.dev fonts.gstatic.com data:; form-action 'self'; frame-ancestors 'self'; frame-src 'self' https:; img-src 'self' viewing.nyc *.viewing.nyc *.viewingnyc.dev s3.amazonaws.com pagead2.googlesyndication.com *.amazon-adsystem.com *.ssl-images-amazon.com *.media-amazon.com *.assoc-amazon.com *.twimg.com *.twitter.com *.instagram.com *.facebook.com data:; manifest-src 'self'; media-src utoob.com; object-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' viewing.nyc *.viewing.nyc *.viewingnyc.dev *.googletagservices.com *.googleadservices.com *.googlesyndication.com adservice.google.com googleads.g.doubleclick.net *.amazon-adsystem.com *.twimg.com *.twitter.com *.instagram.com *.facebook.com *.facebook.net gleam.io js.gleam.io lightwidget.com *.lightwidget.com; style-src 'self' 'unsafe-inline' viewing.nyc *.viewing.nyc *.viewingnyc.dev *.twitter.com *.instagram.com *.facebook.com fonts.googleapis.com gleam.io *.gleam.io; upgrade-insecure-requests

I will advice you to remove Content-Security-Policy header and X-Permitted-Cross-Domain-Policies header. Also remove the crossdomain.xml, If you want AdSense to function properly.

This is not an ideal solution but Google has not given a list of Content-Security-Policy allowed domains, It changes everyday so it is better to avoid these header for now.