Cross-origin resource sharing (CORS) and SSL

Creatives must be SSL-compliant.

All inventory available through Google partners has a secure connection (SSL) and requires SSL-compliant creatives.

For more information, see the SSL implementation guide.

In order for the HTML5 SDK to serve ads over SSL, the ad server must include a Cross-Origin Resource Sharing (CORS) header in all its responses.

CORS extends the standard set of HTTP headers with a new response header that allows servers to specify domains authorized to make file requests. To initiate a cross-origin request, a browser sends the request with an Origin: <domain> HTTP header, where <domain> is the domain that served the page. In response, the server sends Access-Control-Allow-Origin: <domain>, where <domain> is either a list of specific domains or a wildcard to allow all domains.

For example, when a request is sent from to an ad server, the ad server’s response should include either:

Access-Control-Allow-Origin: *



For more information, see the W3 specification or the Google HTML5 SDK documentation..

Was this article helpful?
How can we improve it?