Modern browsers apply same-origin security restrictions to JavaScript network requests, meaning that a web application running from one origin cannot retrieve data served from a different origin. For VAST, this security restriction prevents JavaScript XMLHttpRequests made from JavaScript VAST rendering code from reading a VAST ad response served from a different origin.
This security restriction is meant to prevent issues where one origin is able to read data from another origin that a user may be logged in to without that user's permission. The restriction poses problems for VAST served in a JavaScript environment because an ad server is often on a different domain than the ads player. However, Cross-Origin Resource Sharing (CORS) headers is a W3C recommendation that works around this restriction by allowing sharing across different origins.
CORS headers
To avoid cross-origin problems, VAST ad server responses to requests made by the SDK must include following HTTP CORS headers:
Access-Control-Allow-Origin: <origin header value> Access-Control-Allow-Credentials: true
These headers allow an ads player on any origin to read the VAST response
from the ad server origin. Set the value of Access-Control-Allow-Origin
to the value of the Origin header sent with the ad request, and
Access-Control-Allow-Credentials to true to ensure
that cookies are sent and received properly.
For further instructions on enabling CORS, see Enable cross-origin resource sharing.