diff --git a/app/helpers/application_helper.rb b/app/helpers/application_helper.rb
index d16405e30..b6c5f2aa8 100644
--- a/app/helpers/application_helper.rb
+++ b/app/helpers/application_helper.rb
@@ -11,6 +11,16 @@ module ApplicationHelper
   include CanonicalURL::Helpers
   include ConfigurableUrls
 
+  def script(*args)
+    # This crazy stuff is needed to get window.onerror working under a CDN
+    # NGINX change is also required and baked into sample config
+    if GlobalSetting.cdn_url
+      javascript_include_tag(*args, "crossorigin" => "anonymous")
+    else
+      javascript_include_tag(*args)
+    end
+  end
+
   def discourse_csrf_tags
     # anon can not have a CSRF token cause these are all pages
     # that may be cached, causing a mismatch between session CSRF
diff --git a/app/views/layouts/application.html.erb b/app/views/layouts/application.html.erb
index 3f47d40e0..ae8dff784 100644
--- a/app/views/layouts/application.html.erb
+++ b/app/views/layouts/application.html.erb
@@ -16,12 +16,12 @@
     <link rel="icon" type="image/png" href="<%=SiteSetting.favicon_url%>">
     <link rel="apple-touch-icon" type="image/png" href="<%=SiteSetting.apple_touch_icon_url%>">
 
-    <%= javascript_include_tag "preload_store" %>
-    <%= javascript_include_tag "locales/#{I18n.locale}" %>
-    <%= javascript_include_tag "vendor" %>
-    <%= javascript_include_tag "application" %>
+    <%= script "preload_store" %>
+    <%= script "locales/#{I18n.locale}" %>
+    <%= script "vendor" %>
+    <%= script "application" %>
     <%- if staff? %>
-      <%= javascript_include_tag "admin"%>
+      <%= script "admin"%>
     <%- end %>
 
     <%= render :partial => "common/special_font_face" %>
diff --git a/config/nginx.sample.conf b/config/nginx.sample.conf
index c59bb331d..aba79223e 100644
--- a/config/nginx.sample.conf
+++ b/config/nginx.sample.conf
@@ -43,7 +43,7 @@ server {
   set $public /var/www/discourse/public;
 
   # Prevent Internet Explorer 10 "compatibility mode", which breaks Discourse.
-  # If other subdomains under your domain are supposed to use Internet Explorer Compatibility mode, 
+  # If other subdomains under your domain are supposed to use Internet Explorer Compatibility mode,
   # it may be used for this one too, unless you explicitly tell IE not to use it.  Alternatively,
   # some people have reported having compatibility mode "stuck" on for some reason.
   # (This will also prevent compatibility mode in IE 8 and 9, but those browsers aren't supported anyway.
@@ -62,6 +62,8 @@ server {
       expires 1y;
       add_header ETag "";
       add_header Cache-Control public;
+      # enables window.onerror
+      add_header Access-Control-Allow-Origin *;
       break;
     }