The blog of Ross Fruen, a .NET consultant

SiteGround redirect loop to /.well-known/captcha/

Recently an attempt was made to add this site into the list of websites built using 11ty.

Whilst verifying the pull request the site was found to be stuck in an infinite redirect loop as shown below:

After a bit of digging a SiteGround blog entry provided an indication of what may be happening.

It seemed the pull request reviewer was being identified as being a bot and hence was being redirected to /.well-known/captcha/. After a quick web-chat with SiteGround it seemed the anti-bot AI was infamous for causing such issues and an offer was made to disable it.

AMP and its support for inline Content-Security-Policy

Whilst investigating possible future web hosting options I was drawn to one provider who unfortunately do not provide the ability to set http headers.

To provide a modicum of security it would be necessary to set content security policy headers via meta tags.

According to the AMP documentation on securing from third party attacks it is possible to apply the following code into a web page's head:

<meta http-equiv="Content-Security-Policy" content="default-src * data: blob:; script-src blob: https://cdn.ampproject.org/v0.js https://cdn.ampproject.org/v0/ https://cdn.ampproject.org/viewer/ https://cdn.ampproject.org/rtv/; object-src 'none'; style-src 'unsafe-inline' https://cdn.ampproject.org/rtv/ https://cdn.materialdesignicons.com https://cloud.typography.com https://fast.fonts.net https://fonts.googleapis.com https://maxcdn.bootstrapcdn.com https://p.typekit.net https://use.fontawesome.com https://use.typekit.net; report-uri https://csp-collector.appspot.com/csp/amp">

Implementing a page with an inline CSP fails AMP validation with the error:

 The attribute 'http-equiv' may not appear in tag 'meta'.

It appears that the AMP documentation is wrong.