AI-generated Key Takeaways
-
Modern browsers implement same-origin security restrictions which prevent JavaScript from retrieving data from a different origin than the web application itself.
-
This restriction causes problems for VAST in a JavaScript environment because the ad server is often on a different domain than the ad player.
-
Cross-Origin Resource Sharing (CORS) headers are a specification allowing sharing across different origins, and a VAST ad server's response must include specific CORS headers to be servable in a JavaScript environment.
Modern browsers apply same-origin security restrictions to JavaScript network
requests, meaning that a web application running from one origin cannot retrieve data
served from a different origin. For VAST, this security restriction prevents
JavaScript XMLHttpRequests made from JavaScript VAST rendering code from reading
a VAST ad response served from a different origin.
This security restriction is meant to prevent issues where one origin is able to read data from another origin that a user may be logged into without that user's permission. The restriction poses problems for VAST served in a JavaScript environment because an ad server is often on a different domain than the ads player.
Cross-Origin Resource Sharing (CORS) headers is a W3C draft specification meant to allow sharing across different origins. To be servable in a JavaScript environment a VAST ad server's response must include the following HTTP CORS headers:
Access-Control-Allow-Origin: <origin header value> Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin:
should be the value of the Origin header sent with the ad request.
The Access-Control-Allow-Credentials: header ensures that
cookies are sent and received properly.
For more information, refer to the W3C Draft Specification on Cross-Origin Resource Sharing