in the AMP Docs, the following snippet is given:
Originheader is set:
If the origin does not match one of the following values, stop and return an error response:
the publisher’s origin (aka yours)
where * represents a wildcard match, and not an actual asterisk ( * ).
Otherwise, process the request.
Originheader is NOT set:
- Verify that the request contains the
AMP-Same-Origin: trueheader. If the request does not contain this header, stop and return an error response.
- Otherwise, process the request.
What I don’t understand is how the
AMP-Same-Origin header provides a form of security.
Couldn’t anyone provide an
AMP-Same-Origin: true header in a browser missing the
Origin header and skip CSRF protection even if it’s not on a trusted AMP CDN?