requests, meaning that a web application running from one origin cannot retrieve data
served from a different origin. For VAST, this security restriction prevents
a VAST ad response served from a different origin.
Access-Control-Allow-Origin: <origin header value> Access-Control-Allow-Credentials: trueThis HTTP header allows an ads player on any origin to read the VAST response from the ad server origin. The value of
Access-Control-Allow-Origin:should be the value of the
Originheader sent with the ad request. The
Access-Control-Allow-Credentials:header ensures that cookies are sent and received properly.
For more information, refer to the W3C Draft Specification on Cross-Origin Resource Sharing