diff --git a/extensions/amp-a4a/0.1/amp-a4a.js b/extensions/amp-a4a/0.1/amp-a4a.js
index b1738aad97d0..685560e9111d 100644
--- a/extensions/amp-a4a/0.1/amp-a4a.js
+++ b/extensions/amp-a4a/0.1/amp-a4a.js
@@ -83,12 +83,6 @@ export const SAFEFRAME_VERSION_HEADER = 'X-AmpSafeFrameVersion';
 /** @type {string} @visibleForTesting */
 export const EXPERIMENT_FEATURE_HEADER_NAME = 'amp-ff-exps';
 
-/**
- * Controls if Content Security Policy is enabled for FIE render.
- * @type {string} @visibleForTesting
- */
-export const CSP_ENABLED_EXP_NAME = 'csp_enabled';
-
 /** @type {string} */
 const TAG = 'amp-a4a';
 
@@ -364,9 +358,6 @@ export class AmpA4A extends AMP.BaseElement {
      */
     this.postAdResponseExperimentFeatures = {};
 
-    /** @private {boolean} whether CSP for FIE is enabled */
-    this.cspEnabled_ = false;
-
     /**
      * The configuration for amp-analytics. If null, no amp-analytics element
      * will be inserted and no analytics events will be fired.
@@ -703,9 +694,6 @@ export class AmpA4A extends AMP.BaseElement {
                   tryDecodeUriComponent(match[1]));
             }
           }
-          this.cspEnabled_ =
-            this.postAdResponseExperimentFeatures[CSP_ENABLED_EXP_NAME] ==
-              'true';
           // If the response has response code 204, or arrayBuffer is null,
           // collapse it.
           if (!fetchResponse.arrayBuffer || fetchResponse.status == 204) {
@@ -1074,7 +1062,6 @@ export class AmpA4A extends AMP.BaseElement {
     this.experimentalNonAmpCreativeRenderMethod_ =
         this.getNonAmpCreativeRenderingMethod();
     this.postAdResponseExperimentFeatures = {};
-    this.cspEnabled_ = false;
   }
 
   /**
@@ -1365,7 +1352,6 @@ export class AmpA4A extends AMP.BaseElement {
           html: creativeMetaData.minifiedCreative,
           extensionIds: creativeMetaData.customElementExtensions || [],
           fonts: fontsArray,
-          cspEnabled: this.cspEnabled_,
         }, embedWin => {
           installUrlReplacementsForEmbed(this.getAmpDoc(), embedWin,
               new A4AVariableSource(this.getAmpDoc(), embedWin));
diff --git a/extensions/amp-a4a/0.1/test/test-amp-a4a.js b/extensions/amp-a4a/0.1/test/test-amp-a4a.js
index 2cbf5e0d4253..6c33e0349318 100644
--- a/extensions/amp-a4a/0.1/test/test-amp-a4a.js
+++ b/extensions/amp-a4a/0.1/test/test-amp-a4a.js
@@ -24,8 +24,6 @@ import {
   SAFEFRAME_VERSION_HEADER,
   protectFunctionWrapper,
   assignAdUrlToError,
-  EXPERIMENT_FEATURE_HEADER_NAME,
-  CSP_ENABLED_EXP_NAME,
 } from '../amp-a4a';
 import {AMP_SIGNATURE_HEADER} from '../signature-verifier';
 import {FriendlyIframeEmbed} from '../../../../src/friendly-iframe-embed';
@@ -322,8 +320,6 @@ describe('amp-a4a', () => {
     });
 
     it('populates postAdResponseExperimentFeatures', () => {
-      adResponse.headers[EXPERIMENT_FEATURE_HEADER_NAME] =
-          `foo=bar,bad,${CSP_ENABLED_EXP_NAME}=true`;
       a4a.buildCallback();
       a4a.onLayoutMeasure();
       return a4a.layoutCallback().then(() => {
@@ -331,9 +327,6 @@ describe('amp-a4a', () => {
         expect(child).to.be.ok;
         expect(child.srcdoc.indexOf('meta http-equiv=Content-Security-Policy'))
             .to.not.equal(-1);
-        expect(a4a.postAdResponseExperimentFeatures).to.jsonEqual({
-          foo: 'bar', [CSP_ENABLED_EXP_NAME]: 'true',
-        });
       });
     });
 
diff --git a/src/friendly-iframe-embed.js b/src/friendly-iframe-embed.js
index 4ea33d027682..6b59199ff64f 100644
--- a/src/friendly-iframe-embed.js
+++ b/src/friendly-iframe-embed.js
@@ -56,7 +56,6 @@ const EXCLUDE_INI_LOAD = ['AMP-AD', 'AMP-ANALYTICS', 'AMP-PIXEL'];
  *   html: string,
  *   extensionIds: (?Array<string>|undefined),
  *   fonts: (?Array<string>|undefined),
- *   cspEnabled: boolean,
  * }}
  */
 export let FriendlyIframeSpec;
@@ -147,9 +146,6 @@ export function installFriendlyIframeEmbed(iframe, container, spec,
     iframe.readyState = 'complete';
   };
   const registerViolationListener = () => {
-    if (!spec.cspEnabled) {
-      return;
-    }
     iframe.contentWindow.addEventListener('securitypolicyviolation',
         violationEvent => {
           dev().warn('FIE', 'security policy violation', violationEvent);
@@ -280,10 +276,8 @@ function mergeHtml(spec) {
   }
 
   // Load CSP
-  if (spec.cspEnabled) {
-    result.push('<meta http-equiv=Content-Security-Policy ' +
+  result.push('<meta http-equiv=Content-Security-Policy ' +
       'content="script-src \'none\';object-src \'none\';child-src \'none\'">');
-  }
 
   // Postambule.
   if (ip > 0) {
diff --git a/test/functional/test-friendly-iframe-embed.js b/test/functional/test-friendly-iframe-embed.js
index fad4a7e240ab..abcbdfd867ef 100644
--- a/test/functional/test-friendly-iframe-embed.js
+++ b/test/functional/test-friendly-iframe-embed.js
@@ -390,56 +390,56 @@ describe('friendly-iframe-embed', () => {
 
     it('should pre-pend to html', () => {
       const html = mergeHtmlForTesting(spec);
-      expect(html).to.equal('<base href="https://acme.org/embed1"><a></a>');
+      expect(html).to.equal('<base href="https://acme.org/embed1">'
+          + '<meta http-equiv=Content-Security-Policy content='
+          + '"script-src \'none\';object-src \'none\';child-src \'none\'">'
+          + '<a></a>');
     });
 
     it('should insert into head', () => {
       spec.html = '<html><head>head</head><body>body';
       const html = mergeHtmlForTesting(spec);
-      expect(html).to.equal(
-          '<html><head>'
-          + '<base href="https://acme.org/embed1">'
-          + 'head</head><body>body');
+      expect(html).to.equal('<html><head><base href="https://acme.org/embed1">'
+          + '<meta http-equiv=Content-Security-Policy content='
+          + '"script-src \'none\';object-src \'none\';'
+          + 'child-src \'none\'">head</head><body>body');
     });
 
     it('should insert into head w/o html', () => {
       spec.html = '<head>head</head><body>body';
       const html = mergeHtmlForTesting(spec);
-      expect(html).to.equal(
-          '<head>'
-          + '<base href="https://acme.org/embed1">'
-          + 'head</head><body>body');
+      expect(html).to.equal('<head><base href="https://acme.org/embed1">'
+          + '<meta http-equiv=Content-Security-Policy content="'
+          + 'script-src \'none\';object-src \'none\';child-src \'none\'">head'
+          + '</head><body>body');
     });
 
     it('should insert before body', () => {
       spec.html = '<html><body>body';
       const html = mergeHtmlForTesting(spec);
-      expect(html).to.equal(
-          '<html>'
-          + '<base href="https://acme.org/embed1">'
-          + '<body>body');
+      expect(html).to.equal('<html><base href="https://acme.org/embed1">'
+          + '<meta http-equiv=Content-Security-Policy content="script-src '
+          + '\'none\';object-src \'none\';child-src \'none\'"><body>body');
     });
 
     it('should insert before body w/o html', () => {
       spec.html = '<body>body';
       const html = mergeHtmlForTesting(spec);
-      expect(html).to.equal(
-          '<base href="https://acme.org/embed1">'
-          + '<body>body');
+      expect(html).to.equal('<base href="https://acme.org/embed1">'
+          + '<meta http-equiv=Content-Security-Policy content="script-src '
+          + '\'none\';object-src \'none\';child-src \'none\'"><body>body');
     });
 
     it('should insert after html', () => {
       spec.html = '<html>content';
       const html = mergeHtmlForTesting(spec);
-      expect(html).to.equal(
-          '<html>'
-          + '<base href="https://acme.org/embed1">'
-          + 'content');
+      expect(html).to.equal('<html><base href="https://acme.org/embed1">'
+          + '<meta http-equiv=Content-Security-Policy content="script-src '
+          + '\'none\';object-src \'none\';child-src \'none\'">content');
     });
 
     it('should insert CSP', () => {
       spec.html = '<html><head></head><body></body></html>';
-      spec.cspEnabled = true;
       expect(mergeHtmlForTesting(spec)).to.equal(
           '<html><head><base href="https://acme.org/embed1">' +
           '<meta http-equiv=Content-Security-Policy ' +
@@ -504,6 +504,24 @@ describe('friendly-iframe-embed', () => {
         return embed.whenWindowLoaded();
       });
     });
+
+    it('should add violation listener', () => {
+      let eventListenerSpy;
+      const container = {
+        appendChild: child => {
+          document.body.appendChild(child);
+          eventListenerSpy =
+              sandbox.spy(child.contentWindow, 'addEventListener');
+        },
+      };
+      const embedPromise = installFriendlyIframeEmbed(iframe, container, {
+        url: 'https://acme.org/url1',
+        html: '<a id="a1"></a>',
+      });
+      return embedPromise.then(() => {
+        expect(eventListenerSpy).to.be.calledOnce;
+      });
+    });
   });
 
   describe('child document ready polling', () => {
@@ -561,7 +579,9 @@ describe('friendly-iframe-embed', () => {
         },
         removeEventListener: () => {},
       };
-      contentWindow = {};
+      contentWindow = {
+        addEventListener: () => {},
+      };
       contentDocument = {};
       contentBody = {nodeType: 1, style: {}};
       container = {
@@ -595,6 +615,7 @@ describe('friendly-iframe-embed', () => {
     });
 
     it('should poll until ready', () => {
+      iframe.contentWindow = contentWindow;
       const embedPromise = installFriendlyIframeEmbed(iframe, container, {
         url: 'https://acme.org/url1',
         html: '<body></body>',
@@ -643,6 +664,7 @@ describe('friendly-iframe-embed', () => {
     });
 
     it('should stop polling when loaded', () => {
+      iframe.contentWindow = contentWindow;
       const embedPromise = installFriendlyIframeEmbed(iframe, container, {
         url: 'https://acme.org/url1',
         html: '<body></body>',
@@ -657,6 +679,7 @@ describe('friendly-iframe-embed', () => {
     });
 
     it('should stop polling when loading failed', () => {
+      iframe.contentWindow = contentWindow;
       const embedPromise = installFriendlyIframeEmbed(iframe, container, {
         url: 'https://acme.org/url1',
         html: '<body></body>',