Cross-Origin-Resource-Sharing (CORS) for VAST

Modern browsers apply same-origin security restrictions to JavaScript network requests, meaning that a web application running from one origin cannot retrieve data served from a different origin. For VAST, this security restriction prevents JavaScript XMLHttpRequests made from JavaScript VAST rendering code from reading a VAST ad response served from a different origin.

This security restriction is meant to prevent issues where one origin is able to read data from another origin that a user may be logged into without that user's permission. The restriction poses problems for VAST served in a JavaScript environment because an ad server is often on a different domain than the ads player.

Cross-Origin Resource Sharing (CORS) headers is a W3C draft specification meant to allow sharing across different origins. To be servable in a JavaScript environment a VAST ad server's response must include the following HTTP CORS headers:

Access-Control-Allow-Origin: <origin header value>
Access-Control-Allow-Credentials: true
This HTTP header allows an ads player on any origin to read the VAST response from the ad server origin. The value of Access-Control-Allow-Origin: should be the value of the Origin header sent with the ad request. The Access-Control-Allow-Credentials: header ensures that cookies are sent and received properly.

For more information, refer to the W3C Draft Specification on Cross-Origin Resource Sharing