VAST Video Ads and the CORS header

Written by Roy
Apr 18, 2021 • 3 min read

Are you performing Quality Assurance checks on VAST creatives? One of the first things we want to check is the presence of the CORS header (access-control-allow-origin). Learn why CORS should be on #1 of your QA checklist.

What is this all about?

Web video players make an ad request to the ad server using the JavaScript XMLHttpRequest (XHR). Browsers apply a security restriction called same-origin to these XHR requests, meaning that cannot retrieve data served from This is exactly the setup we see with VAST video ads.

The security restriction on XHR requests is meant to avoid issues with people being logged in on a different website that is displayed in the browser bar. In theory, someone could steal account information if the same-origin policy was not applied.

What if the CORS header is missing?

If this HTTP header is not added to the response, a VAST-compliant video player will not be able to fetch ads. You may want to reach out to your advertiser or ad server vendor to address the issue.

How can I check if the CORS header is present?

There a simple and an even more simple way to check the CORS header:

  • Use Chrome. Open Chrome Dev Tools (CTRL + SHIFT + J) and click the Network tab. Then, load the VAST tag URL and check the response headers of the HTTP request.
  • Use Go to and enter your VAST URL in the box. Launch the scan and you'll get a quality assurance report that mentions presence of the CORS header. If the test fails, you may want to contact your advertiser or ad server vendor to have the issue fixed.
    The VAST inspector has 30 free Quality Assurance tests that let you pre-validate video ads before they go live. Think about the video codec, a skip option, HD/FHD requirements, mime-types, download speed and many more.

What should be the value of the CORS header?

It should either echo the origin, or be a wildcard. For example, if the VAST video player runs on, the ad server hosting the VAST tag should add the following HTTP header: Access-control-allow-origin:

To use a wildcard, which essentially allows every domain to load the tag, the following header should be added: Access-control-allow-origin: *

External Resources