Turns out Safari does send a Location header even if the form is hosted on the same domain and some other browsers don't. The location header value (cdn url) will not match with the application url (ec2 url) and the request will be marked as invalid in rails. I had protect_from_forgery instead of protect_from_forgery with: :exception and it took me quite a while to see this because i didn't receive any noticeable errors. The solution for me was to disable this setting:
Rails.application.config.action_controller.forgery_protection_origin_check = falseThe default state of this setting was flipped in Rails 5.