RamblingRoss
The blog of Ross Fruen, a .NET consultant AMP and its support for inline Content-Security-Policy
Whilst investigating possible future web hosting options I was drawn to one provider who unfortunately do not provide the ability to set http headers.
To provide a modicum of security it would be necessary to set content security policy headers via meta tags.
According to the AMP documentation on securing from third party attacks it is possible to apply the following code into a web page's head:
<meta http-equiv="Content-Security-Policy" content="default-src * data: blob:; script-src blob: https://cdn.ampproject.org/v0.js https://cdn.ampproject.org/v0/ https://cdn.ampproject.org/viewer/ https://cdn.ampproject.org/rtv/; object-src 'none'; style-src 'unsafe-inline' https://cdn.ampproject.org/rtv/ https://cdn.materialdesignicons.com https://cloud.typography.com https://fast.fonts.net https://fonts.googleapis.com https://maxcdn.bootstrapcdn.com https://p.typekit.net https://use.fontawesome.com https://use.typekit.net; report-uri https://csp-collector.appspot.com/csp/amp">Implementing a page with an inline CSP fails AMP validation with the error:
The attribute 'http-equiv' may not appear in tag 'meta'.
It appears that the AMP documentation is wrong.
Comments
-
Hi did you find a solution for this?
Quite confusing, how would you implement such a content policy otherwise for amp pages -
Thanks for you comment about implementing content policies for AMP pages. In the end I had to use another hosting outfit that allow the setting of http headers via .htaccess. Sorry I can't provide a better answer!