为 VAST 服务器配置 CORS
使用集合让一切井井有条
根据您的偏好保存内容并对其进行分类。
现代浏览器对 JavaScript 网络应用同源安全限制
请求,这意味着从一个源运行的 Web 应用无法检索数据
从另一个源提供。对于 VAST,这种安全限制可防止
JavaScript XMLHttpRequests
由 JavaScript VAST 呈现代码通过读取
从其他来源投放的 VAST 广告响应。
这项安全限制是为了防止问题
从另一个来源读取数据,用户无需该来源即可登录
获得用户许可。该限制给在 JavaScript 中投放的 VAST 带来了问题
因为广告服务器通常与
。
跨域资源共享 (CORS) 标头是 W3C 规范草案,
以允许跨源共享。可在 JavaScript 代码中
环境中 VAST 广告服务器的响应必须包含以下 HTTP CORS 标头:
Access-Control-Allow-Origin: <origin header value>
Access-Control-Allow-Credentials: true
此 HTTP 标头允许任何来源的广告播放器读取 VAST 响应
来自广告服务器来源的请求。
Access-Control-Allow-Origin:
的值
应为随广告请求发送的
Origin
标头的值。
Access-Control-Allow-Credentials:
标头可确保
正确发送和接收 Cookie。
有关详情,请参阅 W3C 跨源资源共享规范草案
如未另行说明,那么本页面中的内容已根据知识共享署名 4.0 许可获得了许可,并且代码示例已根据 Apache 2.0 许可获得了许可。有关详情,请参阅 Google 开发者网站政策。Java 是 Oracle 和/或其关联公司的注册商标。
最后更新时间 (UTC):2025-08-31。
[null,null,["最后更新时间 (UTC):2025-08-31。"],[[["\u003cp\u003eModern browsers restrict JavaScript from accessing data from different origins (websites) for security reasons, affecting VAST ad serving.\u003c/p\u003e\n"],["\u003cp\u003eThis restriction prevents unauthorized data access between websites, but poses challenges for VAST ads as ad servers and players are often on different domains.\u003c/p\u003e\n"],["\u003cp\u003eCross-Origin Resource Sharing (CORS) headers allow secure data sharing between origins by including specific HTTP headers in the ad server's response.\u003c/p\u003e\n"],["\u003cp\u003eVAST ad servers need to include \u003ccode\u003eAccess-Control-Allow-Origin\u003c/code\u003e and \u003ccode\u003eAccess-Control-Allow-Credentials\u003c/code\u003e headers to enable JavaScript-based ad serving.\u003c/p\u003e\n"]]],["Web browsers restrict JavaScript network requests to the same origin, hindering JavaScript VAST rendering code from accessing VAST ad responses from different origins. To enable cross-origin access, VAST ad servers must include specific CORS headers in their responses. The `Access-Control-Allow-Origin` header should match the request's `Origin`, and `Access-Control-Allow-Credentials: true` allows for proper cookie handling. These headers enable ad players on any origin to read the VAST response, overcoming the same-origin security restriction.\n"],null,["Modern browsers apply same-origin security restrictions to JavaScript network\nrequests, meaning that a web application running from one origin cannot retrieve data\nserved from a different origin. For VAST, this security restriction prevents\nJavaScript `XMLHttpRequests` made from JavaScript VAST rendering code from reading\na VAST ad response served from a different origin.\n\n\nThis security restriction is meant to prevent issues where one origin is able\nto read data from another origin that a user may be logged into without that\nuser's permission. The restriction poses problems for VAST served in a JavaScript\nenvironment because an ad server is often on a different domain than the\nads player.\n\n\nCross-Origin Resource Sharing (CORS) headers is a W3C draft specification meant\nto allow sharing across different origins. To be servable in a JavaScript\nenvironment a VAST ad server's response must include the following HTTP CORS headers: \n\n```text\nAccess-Control-Allow-Origin: \u003corigin header value\u003e\nAccess-Control-Allow-Credentials: true\n```\nThis HTTP header allows an ads player on any origin to read the VAST response from the ad server origin. The value of `Access-Control-Allow-Origin:` should be the value of the `Origin` header sent with the ad request. The `Access-Control-Allow-Credentials:` header ensures that cookies are sent and received properly.\n\n\u003cbr /\u003e\n\n\nFor more information, refer to the [W3C Draft Specification on Cross-Origin Resource Sharing](//www.w3.org/TR/cors)"]]