Disabling withCredentials for XMLHttpRequest?

1,519 views
Skip to first unread message

Arnaud Leyder

unread,
Aug 27, 2016, 9:16:45 AM8/27/16
to Interactive Media Ads SDK
HTML5 IMA SDK.
I know CORS-related issue are frequent here but I have not found an answer to this one.
I have an adTag (this is a very basic test tag) https://www.radiantmediaplayer.com/vast/tags2/inline.xml
When I play it in our player or the Video Suite Inspector I can see it plays the ad but it logs in the console:

XMLHttpRequest cannot load https://www.radiantmediaplayer.com/vast/tags2/inline.xml. A wildcard '*' cannot be used in the 'Access-Control-Allow-Origin' header when the credentials flag is true. Origin 'https://imasdk.googleapis.com' is therefore not allowed access. The credentials mode of an XMLHttpRequest is controlled by the withCredentials attribute.

BUT it plays the ad in latest Chrome.
I am aware I should have proper CORS settings for withCredentials request on my server. I have done so here and it works without error message: https://www.radiantmediaplayer.com/vast/tags/inline.xml

Problem is that I have feedback from some users that are using non-Google ad providers that they cannot easily work with XMLHttpRequest and withCredentials set. So the question is: can the withCredentials attribute of XMLHttpRequest be disabled at the SDK level, like with a parameter? As such it would work without error message for wildcard * CORS without credentials.

Another question: can the error message be ignored given the fact that the ad plays?

I guess my question is also about why the withCredentials is necessary for the IMA SDK (I understand it passes cookies and provides better security).

Thanks
Arnaud

Vu Chau (IMA SDK Team)

unread,
Aug 29, 2016, 4:53:36 PM8/29/16
to Interactive Media Ads SDK
Hi Arnaud,

It looks like the error originates from the browser and not the SDK.  Since it's thrown by the browser (due to the ad request originating from third-party servers) at the network level, I don't think there's a way in IMA to suppress it.

I will continue looking into this and explore ways to best handle this scenario.

Thanks,

Vu Chau
IMA SDK Team

Arnaud Leyder

unread,
Aug 30, 2016, 4:39:51 AM8/30/16
to ima...@googlegroups.com

Hi Vu,

Just to add to your answer.

I can see the error on latest Chrome, Firefox, Edge. In my experience this error is due to the withCredentials property set to true on the XMLHttpRequest Object: https://developer.mozilla.org/en-US/docs/Web/API/XMLHttpRequest/withCredentials.

The error message seems to indicate that this property is set within the IMA JavaScript SDK.

I am a bit confused because in a post here: https://developers.google.com/interactive-media-ads/docs/sdks/html5/community?place=msg%2Fima-sdk%2FYOzE8dH6JCY%2F0D8VIJMXBQAJ it states that both solutions should work. However modern browsers do block inaccurate CORS requests. So given the fact that the ad plays I am wondering if this error is not due to non-critical sub-processes of the SDK (like logging or such).

I just want to know what we should be telling 3rd party ad server. Must they set Access-Control-Allow-Credentials: true with proper Access-Control-Allow-Origin on the server to work with HTML5 SDK or can they also use Access-Control-Allow-Origin: * while Access-Control-Allow-Credentials: false is set.

Thanks

Arnaud

--
You received this message because you are subscribed to a topic in the Google Groups "Interactive Media Ads SDK" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ima-sdk/nPAvee0NSrc/unsubscribe.
To unsubscribe from this group and all its topics, send an email to ima-sdk+u...@googlegroups.com.
To post to this group, send email to ima...@googlegroups.com.
Visit this group at https://groups.google.com/group/ima-sdk.
For more options, visit https://groups.google.com/d/optout.

Vu Chau (IMA SDK Team)

unread,
Aug 30, 2016, 11:24:48 AM8/30/16
to Interactive Media Ads SDK
Hi Arnaud,

The post you referenced actually resolved due to a different solution.  The developer on that thread originally created tags that used our VPAID adapter, which is hosted on a domain that isn't CORS-enabled.  So since at a developer level there is no way to modify that server's settings, we had him create new tags that do not use the VPAID adapter.  That worked out since using the IMA SDK nullifies the need to use the VPAID adapter.

As to the scenario we are looking at, I would not set a wildcard for Access-Control-Allow-Origin, since that would allow accesses from all origins, and again negates the need for CORS at all.  

We're still discussing internally as to how best to resolve this warning.  I will ping this thread with an update!

Vu Chau
IMA SDK Team

Vu Chau (IMA SDK Team)

unread,
Aug 31, 2016, 4:20:26 PM8/31/16
to Interactive Media Ads SDK
Hi Arnaud,

To rectify this, modify the server's Access-Control-Allow-Origin to allow for "https://imasdk.googleapis.com/", which is the value of the Origin header in the ad request.  Currently your server is passing in the wildcard * so the browser (rather than the SDK) is flagging it due to security policies. 

If the Origin header in the request matches up with the Access-Control-Allow-Origin, there should be no warning from the browser.

Vu Chau
IMA SDK Team

Arnaud Leyder

unread,
Sep 1, 2016, 12:00:46 PM9/1/16
to ima...@googlegroups.com

Hi Vu,

Thanks for your answers.

I understand now that the wildcard option is not possible with the SDK as it will negate the use for CORS.

I already have another server config to properly set access-control-allow-origin which does not cause the error message.

Arnaud

Reply all
Reply to author
Forward
0 new messages