Exactly same thing here, I use it for secure my admin acount and got "The client origin is not permitted to use this API.". And like you, my domain is correctly allowed console.developers.google.com.
I guess they don't even patch, the ninja block everything until they got better. It's stupid since they got the information before, and could prepare it. It prove again than full disclosure is usefull.
I guess they don't even patch, the ninja block everything until they got better. It's stupid since they got the information before, and could prepare it. It prove again than full disclosure is usefull.