The blog of Ross Fruen, a .NET consultant

AMP and its support for inline Content-Security-Policy

Whilst investigating possible future web hosting options I was drawn to one provider who unfortunately do not provide the ability to set http headers.

To provide a modicum of security it would be necessary to set content security policy headers via meta tags.

According to the AMP documentation on securing from third party attacks it is possible to apply the following code into a web page's head:

<meta http-equiv="Content-Security-Policy" content="default-src * data: blob:; script-src blob: https://cdn.ampproject.org/v0.js https://cdn.ampproject.org/v0/ https://cdn.ampproject.org/viewer/ https://cdn.ampproject.org/rtv/; object-src 'none'; style-src 'unsafe-inline' https://cdn.ampproject.org/rtv/ https://cdn.materialdesignicons.com https://cloud.typography.com https://fast.fonts.net https://fonts.googleapis.com https://maxcdn.bootstrapcdn.com https://p.typekit.net https://use.fontawesome.com https://use.typekit.net; report-uri https://csp-collector.appspot.com/csp/amp">

Implementing a page with an inline CSP fails AMP validation with the error:

 The attribute 'http-equiv' may not appear in tag 'meta'.

It appears that the AMP documentation is wrong.

Add a comment

If you want your comment to appear on this page please complete the form below. Your name and email address are optional, although the latter will be required if you want a response. Your email address will not appear against your comment and will only be used to correspond with yourself (where appropriate).


Thank you for submitting your comment, it will appear here after moderation is complete.


There was a problem sending your comment, please try again.