Iframe origin policy
Various AMP features allow loading iframes from arbitrary origins into AMP pages. Examples are the
amp-iframe element and the custom domain feature of
amp-ad. The origin of a URL such as
https://example.com. See the HTML5 spec for details.
AMP documents are designed to be accessible both through the web servers and origins where they are hosted and AMP proxy caches (such as cdn.ampproject.org). In the latter case, the iframes would never be on the same origin as the document, because iframes cannot be hosted on the proxy cache. This enforces the security rule from above.
amp-iframe uses a restrictive iframe-sandbox by default. If one does not opt into
allow-same-origin, then every origin is allowed for the iframe. As soon as you add
allow-same-origin to the sandbox the origin rules apply.
In concrete terms this means: If your main site is hosted on
www.example.com, then you cannot include an iframe from
www.example.com. Every other origin such as
assets.example.com is fine.
The above only enforces that documents do not rely on cross-frame access for functionality. There is no guarantee that iframes are never on the same origin as the origin an AMP document is hosted on. One can easily circumvent AMP's not-same-origin-enforcement through redirects, since only the initial URL is tested.