Configure CORS for VAST servers

  • Modern browsers restrict JavaScript from accessing data from different origins for security reasons, impacting VAST ads served from a separate domain than the player.

  • Cross-Origin Resource Sharing (CORS) headers enable cross-origin data sharing, allowing VAST ads to be served from a different domain than the player.

  • VAST ad server responses should include specific CORS headers: Access-Control-Allow-Origin (set to the request's Origin header value) and Access-Control-Allow-Credentials (set to true).

Select platform: HTML5 iOS

Modern browsers apply same-origin security restrictions to JavaScript network requests, meaning that a web application running from one origin cannot retrieve data served from a different origin. For VAST, this security restriction prevents JavaScript XMLHttpRequests made from JavaScript VAST rendering code from reading a VAST ad response served from a different origin.

This security restriction is meant to prevent issues where one origin is able to read data from another origin that a user may be logged in to without that user's permission. The restriction poses problems for VAST served in a JavaScript environment because an ad server is often on a different domain than the ads player. However, Cross-Origin Resource Sharing (CORS) headers is a W3C recommendation that works around this restriction by allowing sharing across different origins.

CORS headers

To avoid cross-origin problems, VAST ad server responses to requests made by the SDK must include following HTTP CORS headers:

Access-Control-Allow-Origin: <origin header value>
Access-Control-Allow-Credentials: true

These headers allow an ads player on any origin to read the VAST response from the ad server origin. Set the value of Access-Control-Allow-Origin to the value of the Origin header sent with the ad request, and Access-Control-Allow-Credentials to true to ensure that cookies are sent and received properly.

For further instructions on enabling CORS, see Enable cross-origin resource sharing.