search

MailOnline / videojs-vast-vpaid

video.js vast plugin
MIT License
296 stars 232 forks source link

A wildcard '*' cannot be used in the 'Access-Control-Allow-Origin' header when the credentials flag is true #185

Open ZohaibGhafoor opened 8 years ago

ZohaibGhafoor commented 8 years ago

I have a vast ad server and when i put the ad in my player i get this error. how to solve it please .A wildcard '*' cannot be used in the 'Access-Control-Allow-Origin' header when the credentials flag is true.

Fetz commented 8 years ago

If you having a cross domain request blocked with flash, please check this comment:

https://github.com/MailOnline/videojs-vast-vpaid/issues/102

What I recommend is that you contact you ad provider.

From http://www.iab.com/wp-content/uploads/2015/06/VASTv3_0.pdf see page 16

2.1.5.2 Cross Origin Resource Sharing (CORS) for JavaScript

In order for JavaScript video players to accept a VAST response, ad servers must include a CORS header in the http file that wraps the VAST response. The CORS header must be formatted as follows:

Access-Control-Allow-Origin: <origin header value>
Access-Control-Allow-Credentials: true

These HTTP headers allow an ads player on any origin to read the VAST response from the ad server origin. The value of Access-Control-Allow-Origin should be the value of the Origin header sent with the ad request. Setting the Access-Control-Allow-Credentials header to true will ensure that cookies will be sent and received properly. For more information, visit http://www.w3.org/TR/cors

This didn't happened with the flash video players, because flash uses another way to allow/block cross origins resources see page 15

kwolniak commented 8 years ago

Hi @Fetz Thanks you for your great job! I have the same CORS problem with my ad server. It works in chrome but it dosn't in Firefox. But when i test my VAST tag in your DEMO it works in FF, so what I do wrong?

onecib commented 8 years ago

I also have the same Issue , have anyone a solution for it ?

Fetz commented 8 years ago

@kwolniak Maybe your ad server is allowing some domains and not others...

@xcuben the easy solution and more future proof is to request you ad provider to update and respect the spec the complicated solution is if we get that specific error of CORS we can request flash to load the VAST instead of JS. We didn't implemented that hard solution because would slowdown even more the load of the ad, and because flash was only transition solution until we start getting more vpaid html ads...

ramynasr commented 7 years ago

This is mostly happening where flash can't be used and XMLHttpRequest is used. The plugin sets XMLHttpRequest.withCredentials to true which makes it impossible to use * in the allow origin header.

I have been looking for ways to extend VASTClient to overwrite the method that does that and couldn't, the only option I see so far is to actually overwrite XMLHttpRequest.prototype.send and set withCredentials to false.

NOTE: This will change the behavior of XMLHttpRequest EVERYWHERE. so I personally wouldn't recommend that option as it is too "hacky".