Cross-origin resource sharing (CORS) and SSL

Learn how to implement CORS
Creatives must be SSL-compliant.

All inventory available through Google partners has a secure connection (SSL) and requires SSL-compliant creatives.

For more information, see the SSL implementation guide.

For the HTML5 SDK to serve ads over SSL, the ad server must include a Cross-Origin Resource Sharing (CORS) header in all its responses.

CORS extends the standard set of HTTP headers with a new response header that allows servers to specify domains authorized to make file requests. To initiate a cross-origin request, a browser sends the request with an Origin: <domain> HTTP header, where <domain> is the domain that served the page. In response, the server sends Access-Control-Allow-Origin: <domain>, where <domain> is either a list of specific domains or a wildcard to allow all domains.

For example, when a request is sent from to an ad server, the ad server’s response should include either:

Access-Control-Allow-Origin: *



For more information, see the W3 specification or the Google HTML5 SDK documentation..

Was this helpful?
How can we improve it?

Need more help?

Sign in for additional support options to quickly solve your issue

Clear search
Close search
Google apps
Main menu
Search Help Center