Cross-origin resource sharing (CORS) and SSL

Learn how to implement CORS
Creatives must be SSL-compliant.

All inventory available through Google partners has a secure connection (SSL) and requires SSL-compliant creatives.

For more information, see the SSL implementation guide.

For the HTML5 SDK to serve ads over SSL, the ad server must include a Cross-Origin Resource Sharing (CORS) header in all its responses.

CORS extends the standard set of HTTP headers with a new response header that allows servers to specify domains authorized to make file requests. To initiate a cross-origin request, a browser sends the request with an Origin: <domain> HTTP header, where <domain> is the domain that served the page. In response, the server sends Access-Control-Allow-Origin: <domain>, where <domain> is either a list of specific domains or a wildcard to allow all domains.

For example, when a request is sent from example.com to an ad server, the ad server’s response should include either:

Access-Control-Allow-Origin: *

or

Access-Control-Allow-Origin: https://example.com http://example.com https://s0.2mdn.net http://s0.2mdn.net https://static.doubleclick.net http://static.doubleclick.net

For more information, see the W3 specification or the Google HTML5 SDK documentation..

Was this helpful?

How can we improve it?

Need more help?

Try these next steps:

Contact us Tell us more and we’ll help you get there
true
Search
Clear search
Close search
Google apps
Main menu
3791481339719197400
true
Search Help Center
true
true
true
true
true
71030
false
false