Stay organized with collections
Save and categorize content based on your preferences.
Modern browsers apply same-origin security restrictions to JavaScript network
requests, meaning that a web application running from one origin cannot retrieve data
served from a different origin. For VAST, this security restriction prevents
JavaScript XMLHttpRequests made from JavaScript VAST rendering code from reading
a VAST ad response served from a different origin.
This security restriction is meant to prevent issues where one origin is able
to read data from another origin that a user may be logged into without that
user's permission. The restriction poses problems for VAST served in a JavaScript
environment because an ad server is often on a different domain than the
ads player.
Cross-Origin Resource Sharing (CORS) headers is a W3C draft specification meant
to allow sharing across different origins. To be servable in a JavaScript
environment a VAST ad server's response must include the following HTTP CORS headers:
This HTTP header allows an ads player on any origin to read the VAST response
from the ad server origin. The value of Access-Control-Allow-Origin:
should be the value of the Origin header sent with the ad request.
The Access-Control-Allow-Credentials: header ensures that
cookies are sent and received properly.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Missing the information I need","missingTheInformationINeed","thumb-down"],["Too complicated / too many steps","tooComplicatedTooManySteps","thumb-down"],["Out of date","outOfDate","thumb-down"],["Samples / code issue","samplesCodeIssue","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-28 UTC."],[[["\u003cp\u003eModern browsers restrict JavaScript from accessing data from different origins (websites) for security reasons, affecting VAST ad serving.\u003c/p\u003e\n"],["\u003cp\u003eThis restriction prevents unauthorized data access between websites, but poses challenges for VAST ads as ad servers and players are often on different domains.\u003c/p\u003e\n"],["\u003cp\u003eCross-Origin Resource Sharing (CORS) headers allow secure data sharing between origins by including specific HTTP headers in the ad server's response.\u003c/p\u003e\n"],["\u003cp\u003eVAST ad servers need to include \u003ccode\u003eAccess-Control-Allow-Origin\u003c/code\u003e and \u003ccode\u003eAccess-Control-Allow-Credentials\u003c/code\u003e headers to enable JavaScript-based ad serving.\u003c/p\u003e\n"]]],["Web browsers restrict JavaScript network requests to the same origin, hindering JavaScript VAST rendering code from accessing VAST ad responses from different origins. To enable cross-origin access, VAST ad servers must include specific CORS headers in their responses. The `Access-Control-Allow-Origin` header should match the request's `Origin`, and `Access-Control-Allow-Credentials: true` allows for proper cookie handling. These headers enable ad players on any origin to read the VAST response, overcoming the same-origin security restriction.\n"],null,["Modern browsers apply same-origin security restrictions to JavaScript network\nrequests, meaning that a web application running from one origin cannot retrieve data\nserved from a different origin. For VAST, this security restriction prevents\nJavaScript `XMLHttpRequests` made from JavaScript VAST rendering code from reading\na VAST ad response served from a different origin.\n\n\nThis security restriction is meant to prevent issues where one origin is able\nto read data from another origin that a user may be logged into without that\nuser's permission. The restriction poses problems for VAST served in a JavaScript\nenvironment because an ad server is often on a different domain than the\nads player.\n\n\nCross-Origin Resource Sharing (CORS) headers is a W3C draft specification meant\nto allow sharing across different origins. To be servable in a JavaScript\nenvironment a VAST ad server's response must include the following HTTP CORS headers: \n\n```text\nAccess-Control-Allow-Origin: \u003corigin header value\u003e\nAccess-Control-Allow-Credentials: true\n```\nThis HTTP header allows an ads player on any origin to read the VAST response from the ad server origin. The value of `Access-Control-Allow-Origin:` should be the value of the `Origin` header sent with the ad request. The `Access-Control-Allow-Credentials:` header ensures that cookies are sent and received properly.\n\n\u003cbr /\u003e\n\n\nFor more information, refer to the [W3C Draft Specification on Cross-Origin Resource Sharing](//www.w3.org/TR/cors)"]]