The following was originally posted on the Google Developers Blog by John Coiner, Software Engineer, Google.
Today we are announcing a change to the domain scheme of the Google AMP Cache. Beginning soon, the Google AMP Cache will serve each site from its own subdomain of
https://cdn.ampproject.org. This change will allow content served from the Google AMP Cache to be protected by the fundamental security model of the web: the HTML5 origin.
No immediate changes are required for most publishers of AMP documents. However, to benefit from the additional security, it is recommended that all AMP publishers update their CORS implementation in preparation for the new Google AMP Cache URL scheme. The Google AMP Cache will continue to support existing URLs, but those URLs will eventually redirect to the new URL scheme.
How subdomain names will be created on the Google AMP Cache
The subdomains created by the Google AMP Cache will be human-readable when character limits and technical specs allow, and will closely resemble the publisher’s own domain.
When possible, the Google AMP Cache will create each subdomain by first converting the AMP document domain from IDN (punycode) to UTF-8. Every “-” (dash) will be replaced with “–“(2 dashes) and every “.” (dot) will be replaced with a “-” (dash). For example,
pub.com will map to
pub-com.cdn.ampproject.org. Where technical limitations prevent a human readable subdomain, a one-way hash will be used instead.
Updates needed for hosts and service providers with remote endpoints
Due to the changes described above, CORS endpoints will begin seeing requests with new origins. The following updates will be required:
- Expand request acceptance to the new subdomain: Sites that currently only accept CORS requests from
https://cdn.ampproject.organd the publisher’s own origins must update their systems to accept requests from
https://cdn.ampproject.org, and the AMP publisher’s own origins.
- Tighten request acceptance for security: Sites that currently accept CORS requests from
https://*.ampproject.orgas described in the AMP spec, can improve security by restricting acceptance to requests from
https://cdn.ampproject.org, and the AMP publisher’s own origins. Support for
https://*.ampproject.orgis no longer necessary.
- Support for new subdomain pattern by ads, analytics, and other technology providers: Service providers such as analytics and ads vendors that have a CORS endpoint will also need to ensure that their systems accept requests from the Google AMP Cache’s subdomains (e.g.
https://ampbyexample-com.cdn.ampproject.org), in addition to their own hosts.
Retrieving the Google AMP Cache URL
For platforms that display AMP documents and serve from the Google AMP Cache, the best way to retrieve Google AMP Cache URLs is to continue using the Google AMP Cache URL API. The Google AMP Cache URL API will be updated in Q1 2017 to return the new cache URL scheme that includes the subdomain.
You can use an interactive tool to find the Google AMP Cache subdomain generated for each site over at ampbyexample.com.
Timing and testing resources
Google Search is planning to begin using the new URL scheme as soon as possible and is monitoring sites’ compatibility.
In addition, a developer testing sandbox is available at g.co/ampdemo/cache to help ensure a smooth transition. After making the updates described above, please use the sandbox to test accessing your site via Google Search. The sandbox loads AMP pages using the new domain scheme, so if you spot CORS-related errors in this configuration, these issues should be addressed to avoid errors when the domain scheme change is fully rolled out.