Cross-Origin-Resource-Sharing (CORS) for VAST

Modern browsers apply same-origin security restrictions to JavaScript network requests, meaning that a web application running from one origin cannot retrieve data served from a different origin. For VAST, this security restriction prevents JavaScript XMLHttpRequests made from JavaScript VAST rendering code from reading a VAST ad response served from a different origin.

This security restriction is meant to prevent issues where one origin is able to read data from another origin that a user may be logged in to without that user's permission. The restriction poses problems for VAST served in a JavaScript environment because an ad server is often on a different domain than the ads player. However, Cross-Origin Resource Sharing (CORS) headers is a W3C recommendation that works around this restriction by allowing sharing across different origins.

CORS headers

To avoid cross-origin problems, VAST ad server responses to requests made by the SDK must include following HTTP CORS headers:

Access-Control-Allow-Origin: <origin header value>
Access-Control-Allow-Credentials: true

These headers allow an ads player on any origin to read the VAST response from the ad server origin. Set the value of Access-Control-Allow-Origin to the value of the Origin header sent with the ad request, and Access-Control-Allow-Credentials to true to ensure that cookies are sent and received properly.

For further instructions on enabling CORS, see Enable cross-origin resource sharing.