When you load a <track> from a different domain than your website, the browser treats it as a cross-origin request. By default, browsers block these for security reasons unless the server hosting the subtitles explicitly says, "I allow this."

Here is how to fix it in two steps:

1. Update your HTML

You need to tell the <video> tag to use CORS when fetching resources. Add the crossorigin attribute to your video element:

HTML

<video width="100%" controls crossorigin="anonymous">
  <source src="https://example.com/path/to/video.mp4" type="video/mp4">
  <track 
    src="https://example.com/path/to/subtitles_de.vtt" 
    kind="subtitles" 
    srclang="de" 
    label="Deutsch" 
    default />
</video>

Note: Use crossorigin="anonymous" if the subtitle file doesn't require user credentials (like cookies or HTTP auth) to be accessed.

2. Configure your Server/CDN

The server hosting the .vtt file must return a header that allows your website to read it. You need to add the following header to the response of the .vtt files:

Access-Control-Allow-Origin: * (Or replace * with your specific domain, e.g., https://yourwebsite.com)

How to add this on common servers:

• Apache (.htaccess):

Apache
<FilesMatch "\.(vtt)$">
    Header set Access-Control-Allow-Origin "*"
</FilesMatch>

• Nginx:
• Nginx

location ~* \.vtt$ {
    add_header Access-Control-Allow-Origin *;
}

• S3 / CloudFront: You must go to the CORS configuration of your S3 bucket and add a rule allowing the GET method for your domain.

Why is this happening?

The browser sends a "Preflight" request (or checks the headers) to ensure the external server trusts your website. If the Access-Control-Allow-Origin header is missing, the browser will silently fail to load the track, even if the file is publicly accessible via a direct link.