Configure CORS for VAST servers
Stay organized with collections
Save and categorize content based on your preferences.
Modern browsers apply same-origin security restrictions to JavaScript network
requests, meaning that a web application running from one origin cannot retrieve data
served from a different origin. For VAST, this security restriction prevents
JavaScript XMLHttpRequests made from JavaScript VAST rendering code from reading
a VAST ad response served from a different origin.
This security restriction is meant to prevent issues where one origin is able
to read data from another origin that a user may be logged in to without that
user's permission. The restriction poses problems for VAST served in a JavaScript
environment because an ad server is often on a different domain than the
ads player. However, Cross-Origin Resource Sharing (CORS)
headers is a W3C recommendation that works around this restriction by allowing
sharing across different origins.
CORS headers
To avoid cross-origin problems, VAST ad server responses to requests made by the SDK must
include following HTTP CORS headers:
Access-Control-Allow-Origin: <origin header value>
Access-Control-Allow-Credentials: true
These headers allow an ads player on any origin to read the VAST response
from the ad server origin. Set the value of Access-Control-Allow-Origin
to the value of the Origin header sent with the ad request, and
Access-Control-Allow-Credentials to true to ensure
that cookies are sent and received properly.
For further instructions on enabling CORS, see
Enable cross-origin resource sharing.
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-08-28 UTC.
[null,null,["Last updated 2025-08-28 UTC."],[[["\u003cp\u003eModern browsers restrict JavaScript from accessing data from different origins for security reasons, impacting VAST ads served from a separate domain than the player.\u003c/p\u003e\n"],["\u003cp\u003eCross-Origin Resource Sharing (CORS) headers enable cross-origin data sharing, allowing VAST ads to be served from a different domain than the player.\u003c/p\u003e\n"],["\u003cp\u003eVAST ad server responses should include specific CORS headers: \u003ccode\u003eAccess-Control-Allow-Origin\u003c/code\u003e (set to the request's \u003ccode\u003eOrigin\u003c/code\u003e header value) and \u003ccode\u003eAccess-Control-Allow-Credentials\u003c/code\u003e (set to \u003ccode\u003etrue\u003c/code\u003e).\u003c/p\u003e\n"]]],[],null,["# Configure CORS for VAST servers\n\nModern browsers apply same-origin security restrictions to JavaScript network\nrequests, meaning that a web application running from one origin cannot retrieve data\nserved from a different origin. For VAST, this security restriction prevents\nJavaScript XMLHttpRequests made from JavaScript VAST rendering code from reading\na VAST ad response served from a different origin.\n\nThis security restriction is meant to prevent issues where one origin is able\nto read data from another origin that a user may be logged in to without that\nuser's permission. The restriction poses problems for VAST served in a JavaScript\nenvironment because an ad server is often on a different domain than the\nads player. However, [Cross-Origin Resource Sharing (CORS)](//www.w3.org/TR/cors)\nheaders is a W3C recommendation that works around this restriction by allowing\nsharing across different origins.\n\nCORS headers\n------------\n\nTo avoid cross-origin problems, VAST ad server responses to requests made by the SDK must\ninclude following HTTP CORS headers: \n\n```text\nAccess-Control-Allow-Origin: \u003corigin header value\u003e\nAccess-Control-Allow-Credentials: true\n```\n\nThese headers allow an ads player on any origin to read the VAST response\nfrom the ad server origin. Set the value of `Access-Control-Allow-Origin`\nto the value of the `Origin` header sent with the ad request, and\n`Access-Control-Allow-Credentials` to `true` to ensure\nthat cookies are sent and received properly.\n\nFor further instructions on enabling CORS, see\n[Enable cross-origin resource sharing](//enable-cors.org/)."]]