Create meta tag for allowing local http sites during testing only

[ccstartfish101]

Allowing whitelisting local http sites is very convenient for testing. We should create a meta tag that itself is invalid AMP and thus cannot be deployed to production.

[dvoytenko]

Should we just do it under development=1?

[cramforce]

That doesn't help security wise because it is subject to downgrade attack.
I think allowing it only if the meta tag is present and the AMP itself is
on HTTP is OK.
On Dec 28, 2015 10:38 AM, "Dima Voytenko" [email protected] wrote:

Should we just do it under development=1?

—
Reply to this email directly or view it on GitHub
#1252 (comment)
.

[src-code]

I'd like to see something like this implemented soon - right now testing pre-production environments other than localhost that aren't terminating https is rather difficult, especially when substitutions like SOURCE_HOST aren't returning the port number (I'm planning to submit a pull for that one...)

[adelinamart]

Do we still need this? Thanks

[src-code]

@adelinamart I think so. The substitutions I referenced above don't really help, since they're encoded and thus can't be used when setting the host portion of a url.

[dvoytenko]

I agree. This would be very helpful.

[adelinamart]

@dvoytenko are we planning to prioritize this anytime soon?Thanks

[dvoytenko]

This sounds useful, but I still see it as a p3.

[Gregable]

Is this still useful? (I think yes).

What are we whitelisting when this meta tag is present? (I think: allowing relative URLs in the validator in the handful of places where relative URLs are disallowed. Anything else?)

[honeybadgerdontcare]

#16616 introduces the ability to turn off validation with #validate=0 on the query string when in developer mode. If that doesn't fully address this issue, then please reopen with why it doesn't.