RamblingRoss
The blog of Ross Fruen, a .NET consultant

AMP and its support for inline Content-Security-Policy

Whilst investigating possible future web hosting options I was drawn to one provider who unfortunately do not provide the ability to set http headers.

To provide a modicum of security it would be necessary to set content security policy headers via meta tags.

According to the AMP documentation on securing from third party attacks it is possible to apply the following code into a web page's head:

<meta http-equiv="Content-Security-Policy" content="default-src * data: blob:; script-src blob: https://cdn.ampproject.org/v0.js https://cdn.ampproject.org/v0/ https://cdn.ampproject.org/viewer/ https://cdn.ampproject.org/rtv/; object-src 'none'; style-src 'unsafe-inline' https://cdn.ampproject.org/rtv/ https://cdn.materialdesignicons.com https://cloud.typography.com https://fast.fonts.net https://fonts.googleapis.com https://maxcdn.bootstrapcdn.com https://p.typekit.net https://use.fontawesome.com https://use.typekit.net; report-uri https://csp-collector.appspot.com/csp/amp">

Implementing a page with an inline CSP fails AMP validation with the error:

   The attribute 'http-equiv' may not appear in tag 'meta'.

It appears that the AMP documentation is wrong.

Available for further contracts from September 2019

I will be available for further contracts from September 2019.

Details on skills, recent activities, etc. can be found in my c# contractor cv.

Acrow support for garage roof

The pictures in this post are to show internal and external shots of a garage with acrows supporting the purlins.

Navigation