AMP and its support for inline Content-Security-Policy
Whilst investigating possible future web hosting options I was drawn to one provider who unfortunately do not provide the ability to set http headers.
To provide a modicum of security it would be necessary to set content security policy headers via meta tags.
According to the AMP documentation on securing from third party attacks it is possible to apply the following code into a web page's head:
<meta http-equiv="Content-Security-Policy" content="default-src * data: blob:; script-src blob: https://cdn.ampproject.org/v0.js https://cdn.ampproject.org/v0/ https://cdn.ampproject.org/viewer/ https://cdn.ampproject.org/rtv/; object-src 'none'; style-src 'unsafe-inline' https://cdn.ampproject.org/rtv/ https://cdn.materialdesignicons.com https://cloud.typography.com https://fast.fonts.net https://fonts.googleapis.com https://maxcdn.bootstrapcdn.com https://p.typekit.net https://use.fontawesome.com https://use.typekit.net; report-uri https://csp-collector.appspot.com/csp/amp">
Implementing a page with an inline CSP fails AMP validation with the error:
The attribute 'http-equiv' may not appear in tag 'meta'.
It appears that the AMP documentation is wrong.