Cross-origin resource sharing (CORS) and SSL

Learn how to implement CORS
Creatives must be SSL-compliant.

All inventory available through Google partners has a secure connection (SSL) and requires SSL-compliant creatives.

For more information, see the SSL implementation guide.

For the HTML5 SDK to serve ads over SSL, the ad server must include a Cross-Origin Resource Sharing (CORS) header in all its responses.

CORS extends the standard set of HTTP headers with a new response header that allows servers to specify domains authorized to make file requests. To initiate a cross-origin request, a browser sends the request with an Origin: <domain> HTTP header, where <domain> is the domain that served the page. In response, the server sends Access-Control-Allow-Origin: <domain>, where <domain> is either a list of specific domains or a wildcard to allow all domains.

For example, when a request is sent from example.com to an ad server, the ad server’s response should include either:

Access-Control-Allow-Origin: *

or

Access-Control-Allow-Origin: https://example.com http://example.com https://s0.2mdn.net http://s0.2mdn.net https://static.doubleclick.net http://static.doubleclick.net

For more information, see the W3 specification or the Google HTML5 SDK documentation..

Was this helpful?

How can we improve it?

Need more help?

Try these next steps:

Search
Clear search
Close search
Google apps
Main menu
12063950819142710653
true
Search Help Center
true
true
true
true
true
71030
false
false