Odd requests to non-existing pages that all include "6_S3_"
Regardless of the server you use this HTTP header solves the OP's problem and also provides additional security against XSS attacks:
Content-Security-Policy: script-src s.colnect.net *.google-analytics.com 'unsafe-inline'
We also receive hundreds of request like this originating from iframe elements included in our partners' site. I haven't figured out exactly what causes it but I updated the web server (Apache) configuration to include a CSP header in the response:
Header set Content-Security-Policy "default-src 'none'; style-src 'unsafe-inline'; img-src data:"
This prevents any injected content to be loaded or executed inside our frame, but it allows to use inline style tags and images with "data:" URIs which is enough in our case.