[mschoebel]

Let's see if I got that right: Specification says I must load the AMP script from cdn.ampproject.org?

If yes, then there is no effing way that I will ever use this. I will NOT use something that forces me to load scripts from a host that I have no control over. Does nobody see what a HUGE security risk that is???

[detaro]

You got that right, and it's a fairly common critique of AMP.

The target group for AMP (traditional publishing sites) loads crap from all over the net in general and Google in particular anyways, so they don't care, but it leaves a very bad impression for an "open standard", yes.

Technically browsers could catch that include and replace it with local/cached logic, but I don't think that is happening or planned yet.

[andybak]

> Does nobody see what a HUGE security risk that is???

I dispute 'HUGE' (or even 'huge'). No more than using any CDN controlled by a large company.

1. You're welcome to say that CDNs are a risk in general but many reasonable people would disagree.

2. You're welcome to claim that Google is not to be trusted but it rather depends on your audience. If you're providing a platform for especially the especially sensitive (anything related to politics/human rights/government/medical/financial might warrant extra caution) then I'd agree but for the large majority of sites - loading javascript from Google is an acceptable trade-off.

So - I'm not disputing it's a security risk - I'm just not sure it's HUGE-in-capital-letters for most people.

[callahad]

Once AMP stabilizes, I'm hoping Google will encourage the use SRI to ensure that the content is what a site expects: https://developer.mozilla.org/en-US/docs/Web/Security/Subres...

[mschoebel]

Still unacceptable as it would still cause my users to expose their IP address to someone else's server.

[retox]

Unfortunately the ubiquity of FB and G+ buttons, Google analytics and CDN use has raised a generation of web developers who don't see that as a problem.

[kbwt]

Certificate Transparency will reveal the domains you connect to over TLS to a Google server anyway. Assuming you don't already use Google's DNS, that is.

[bryanlarsen]

Google could and should change their requirement to be that the integrity value for the script must be in their approved list rather than requiring their path.