I think this is not currently possible, but would be worth double-checking

/cc @choumx — WDYT about this as a feature for amp-list + amp-bind?

EDIT: attempting to summarize the discussion below into specifications for this feature request.

Dynamic resizing needs to cover the following cases:

1. Users interacting with the content inside the list can cause the contents to change size: a) Opening / closing an <amp-accordion>. b) Class toggles from <amp-bind>.
2. Using amp-bind to change the src attribute of <amp-list> can cause us to fetch contents that will have a different height from <amp-list>'s current height.
3. It is possible for <amp-list> to contain elements that will be loaded later. E.g. collapsible ads. <amp-list> should intelligently adjust its height based on the actual height of its contents.
4. After applying filters, <amp-list> might contain fewer elements and would hence need to resize.

Caveats to note:

1. Should not resize list when list bottom is in viewport for UX reasons.
2. Should make sure to test <amp-list> in <amp-sidebar> use case.
3. Should not resize if we scrolled past the <amp-list>.

Tentative proposed solution(s):

1. Set <amp-list> to behave like layout CONTAINER after first load.
2. Allow automatic resizing when [state] or [src] bindings change, perhaps toggled via a new boolean attribute resizeOnChange.

Motivation

Email is a cornerstone of many consumer and enterprise workflows. However the content that is sent in an email message is still limited — messages are static, can become out of date, and are not actionable without opening a browser.

Our goal is to enhance and modernize the email experience through added support for dynamic content and interactivity while keeping users safe. We propose to do this by allowing email publishers to embed AMP directly in a message body as a new MIME part—text-x-amphtml—which will be rendered by email clients (with graceful fallback to non-AMP content). Our proposed name for this project is “AMPHTML Email”.

Compared to websites, email is a different user context with different models of privacy and security. For example, phishing is a major concern for email. To maintain users’ expectations of security and privacy, we’ll only allow a conservative subset of AMP functionality. To enforce this, we propose adding a new AMPHTML email validation spec identified by a new attribute on the document element: amp4email. This is similar to the technique used by the AMPHTML Ads project which introduced its own spec that uses the attribute amp4ads .

Requirements

• Supports modern phishing and spam mitigation strategies
• Supports preserving privacy expectations of modern email providers

Proposed design

A minimal document:

<!doctype html>
<html ⚡4email> <!-- `amp4email` also accepted. -->
<head>
  <meta charset="utf-8">
  <style amp4email-boilerplate>body{visibility:hidden}</style>
  <script async src="https://cdn.ampproject.org/v0.js"></script>
</head>
<body>
Hello, world.
</body>
</html>

Note the lack of a <link rel=canonical> element compared to the traditional AMP spec. This is because an AMP email doesn’t have a canonical email. The boilerplate CSS is also simpler.

After a security review, the components below have been found to be secure in an email context:

Dynamic content

• amp-form
• amp-selector
• amp-bind & amp-state
• amp-list
• amp-mustache

Presentation

• amp-accordion
• amp-carousel
• amp-sidebar
• amp-image-lightbox
• amp-lightbox
• amp-fit-text
• amp-timeago

Media

• amp-img
• amp-anim

Caveats

1. All fetchable attributes like src and href must be static (i.e. cannot be mutated by amp-bind) so they can be inspected by spam/phishing filters
2. All network requests must be proxy-able to prevent leaking of users' IP address, setting cookies, etc.

/cc @raywainman @zhangsu @jasti

What's the issue?

We have been serving AMP ads via Firebolt from Cloudflare and they've told us that they are closing this service down. So we're looking to sign them ourselves.

How do we reproduce the issue?

Here's an example of how we are integrated

On:

https://amp-kiplinger-com.cdn.ampproject.org/v/amp.kiplinger.com/slideshow/retirement/T006-S001-worst-states-for-retirement-2018.html?amp_js_v=a2&amp_gsa=1&usqp=mq331AQECAFYAQ%3D%3D

You can see

To #15653

Overview

The following sections will try to answer these questions:

• What to include in the prompt dialog and how to allow CMP to customize it?
• What is the blocking behavior with CMP?
• What the data flow looks like between different parties?
• What the CMP needs to do to integrate with AMP?
• What does a publisher need to do to include a CMP solution on their AMP page?

Background

<amp-consent> provides a solution for publishers to collect user consent and block or unblock any AMP component in an AMP page. Currently, this solution only allows the publisher to collect a boolean consent for all vendors in the consent UI.

To support per purpose and per vendor based consents and allow for third party integration from Consent Management Platforms (CMP) with publisher AMP pages, AMP will enhance <amp-consent>. It will allow for richer interaction between the publisher page, vendors, CMP and ad extensions on AMP pages that need to know about the consent status. AMP must make such an API for CMPs because AMP doesn’t allow custom JavaScript to run on the page and therefore a CMP must integrate with the AMP framework to integrate with a publishers page.

Data Flow Desing

The following section explains each step in terms of data structure and API.

Read data from localStorage (Step 1)

Data includes the stored consent string and CMP stored information.

Pass information to CMP endpoint (Step 2)

The following data with be passed through a POST request

   {
     'consentInstanceId': string,
     'consentStr': string,
     'pubConfig': object,
     'cmpStoredData': string,
   }

CMP endpoint response (Step 3)

Endpoint returns a JSON object

   {
     'promptIfUnknown': boolean,
     'sharedData': object,
     'forcePrompt': boolean, //optional
   }

Initiate the UI iframe (Step 4)

Data will be stringified and passed via the iframe name attribute

   JSON.stringify({
     'publicConfig': object,
     'cmpStoredData': string,
     'consentStr': string,
   })

Iframe returns user decision (Step 5)

UI iframe will pass the consent information back to <amp-consent> via postMessage

window.parent.postMessage({
 type: 'consent-response',
 cmpStoredData: '',
 consentStr: '',
 action: 'accept/reject/dismiss'
}, '*');

consentStr is required to pass the value to vendors.

action is optional. When specified, it instructs components that don’t understand consent string to load or not based on the publisher’s configurations.

cmpStoredData value will be stored per the CMP request

Store consent information (Step 6)

Store the consentStr and the cmpStoredData to localStorage

Pass consent information (Step 7)

AMP components on the AMP page (vendors in the format <amp-ad type=${vendorName})> can access consent information with function call

getConsentPolicySharedData(ampdoc, policyId)

Where the function returns an object that merge the value of consentStr and sharedData

   {
     'consentStr': string,
     'sharedData': object
   }

Blocking Behaviors

Default Blocking Behaviors

When a CMP is present on the page, AMP runtime behavior will default to:

• Block all <amp-ad> components on the page from rendering
• Send request to the CMP endpoint to ask whether consent is required
  • If no -> Stop here
• Check if there’s a response stored in the AMP runtime, or the CMP endpoint returned with a response
  • If yes -> Unblock <amp-ad> and pass the response to them
  • If no -> Prompt the consent collect dialog in a foreign iframe
• Get the response from the prompted iframe Store the response as instructed.
• Unblock all <amp-ad> components (unless the publisher specifies not to by adding the data-block-on-consent attribute) and passesthe response to them.

Special Cases

Publishers can override the default behavior and customize the blocking behaviors by tagging the components manually.

• If a publisher wants to avoid ad blocking with a CMP,: Use <amp-ad data-block-on-consent=”_never”>
• If the publisher wishes to block a component other than <amp-ad>: Use the existing data-block-on-consent attribute. However, the value of the returned action (accept/reject/dismiss), depends on the agreement between the publisher and the CMP.

Prompt Window

External Iframe

AMP consent will load and render the CMP’s prompt UI in a cross domain iframe, where the CMP will have full control. However, AMP runtime will control the life cycle of the iframe, dictating when to load or unload it.

• The iframe will be loaded if a user consent is required but missing, or if a user wants to manage their consent at any point.
• The iframe will be unloaded once a user decision has been made and the prompt UI needs to be hidden.

Default placeholder

AMP will apply a placeholder before the CMP iframe loads to improve user experience. The placeholder will not block the user from interacting with the rest of the page. UX design will be added once ready.

Iframe Size and Placement

AMP will make the prompt UI interstitial by default. CMP and publishers will NOT be able to customize the size and the placement of the iframe. AMP will create a modal layer and place the iframe with default aspect width and height ratio in the center.

Consent String

Consent string contains the user decision and will be stored and passed to vendors. Vendors will interpret the consent string and respond accordingly.

Format

Because different CMPs want to store different consent strings for customized vendors in addition to the IAB consent string, AMP will not enforce format on the consent string, or attempt to interpret the consent string before passing the information to vendors. AMP would require CMP to indicate their string as IAB so that vendors can understand. Please note in MVP, not API will be provided to vendors, and vendors need to interpret consent string themselves.

Storage Limit

When the cached AMP page is served from the google.com. All information will be stored under the google.com domain. Because of it, AMP consent has to be very cautious of the storage usage.

In order to be space efficient, AMP restricts the size of total stored value to an upper limit of 300 bytes. That includes the consent string and the CMP private stored string, if one exists. CMPs should work with their partner vendors to compress their consent string.

In the case that a CMP asks AMP to store information that exceeds the size limit, AMP will:

• Erase the current stored value
• Log an error
• Unblock <amp-ad> components and make the consent string information globally accessible to all AMP components the consent string information but w/o storing the value for next visit.

Access

The consent string is made available to all AMP components on the page and to the CMP.

• To AMP components and vendors

  AMP components can call where the policyId can be interpreted from the data attribute.

  getConsentPolicySharedData(ampdoc, policyId)
  

  3P ad that integrate with AMP can find the string at (similar to supported sharedData)

  window.context.consentString
  

• To CMP

  • CMP will have access to the consent string. Per their request a CMP will also have access to the CMP stored data. Note that passing CMP stored data is not in scope with the initial implementation.

  • The stored value will be divided into two parts.

    • Standard Consent string
    • Private CMP stored string

    Where consent string can be shared to all components, stored string will only be shared with the CMP.

CMP Integration

A CMP named foo_bar will integrate with AMP in the following way.

Check in configuration

Add the configuration as part of the <amp-consent> codebase. This will allow AMP to recognize the CMP, perform steps to check if consent is necessary, handle storage and UI.

 'foo_bar': {
   ‘storageKey’: ‘cmp_foo_bar’,
   'checkConsentHref': 'https://foo-bar.com/amp/endpoint',
   'promptUISrc': 'https://foo-bar.com/cmp.html',
  }

storageKey instructs AMP runtime to store the consent information under this unique key name. Note: AMP will append prefix to the key. If not specified, AMP will assume CMP does not require consent string to be stored client side.

Unlike the current DIY approach with <amp-consent>, CMP will be able to specify the storage key value instead of publishers. This is easier for CMP to bump up versions because they have control of the storageKey.

checkConsentHref is a field AMP consent already supports. It allows the AMP consent component to ask the CMP if consent is required for a user. This field is required, as it is the key to instruct AMP runtime to ask for consent and block other components on the page. For more details, please refer to the section here

Note:the existing promptIfUnknowForGeoGroup for CMP integration won’t be provided as AMP expects CMP to host their own endpoint instead of depending on publishers configuration on the <amp-geo> component.

src is the source for the foreign iframe. It is also a required field. Once AMP consent decides to prompt, it will create a foreign iframe with the src given.

Host endpoint

AMP consent will rely on the host endpoint to determine if the prompt is required with the checkConsentHref request.

Consent Dialog

The CMP will need to modify their prompt logic to function in a cross domain iframe. And communicate with the parent host AMP page through the proposed communication APIs.

Publisher’s Configuration

To work with a CMP, publisher’s configuration will need to stay minimal.

   <amp-consent id="ABC" type="foo-bar" layout="nodisplay">
     <script type="application/json">{
       “cmp”: {
         “token”: xxx
       }
     }</script>
   </amp-consent>

Type Attribute

A type attribute with a valid CMP name value instructs the <amp-consent> component to load the CMP config.

CMP Object

All configuration within the cmp object will be passed to the CMP, both with checkConsentHref and iframe (added to the name attribute).

PostPromptUI

CMP’s support to postPromptUI has not been discussed yet. Right now publishers can still put their own postPromptUI element on the page and reference the element.

   <amp-consent id="ABC" type="foo-bar" layout="nodisplay">
     <script type="application/json">{
       "postPromptUI": "postPromptUI"
     }</script>
     <div id="postPromptUI">
       Post Prompt UI
       <button on="tap:ABC.prompt" role="button">Manage</button>
     </div>
   </amp-consent>

Other topics

Below is a list of topics we have talked about but not covered in the current design. We may look into supporting it in the future. Allow publishers to still use the <amp-geo> component to reduce one roundtrip of latency Provide support for CMP to store consent server side but not client side

Hi, After this discussion, https://productforums.google.com/forum/#!msg/webmasters/_EFTDi1koJo/EAoRom0fIQAJ, Tomo T suggested we open an issue here.

It's a known issue (#1662) that Cloudflare (and maybe other) are breaking AMP pages by inserting on the fly some javascript that do not comply with AMP specs.

Tomo T mentioned you guys are in touch with cloudflare, so maybe resolution is on its way, but in our wbAMP plugin for Joomla, we did the following: 1 - added no-cache headers 2 - Added a X-amphtml: wbAMP header, so that users can setup rules to bypass those pages in their CDN control panel for instance.

Is there any merit to this?

Rgds

We'd like to see the CSS limit increased from the current 50K to 100K.

Background - we're automatically converting sites, including all their look and feel to AMP. Many sites have 3-400k of CSS which we prune down to only the rules that are used on the page. This Typically yields between 30 and 80k of CSS.

This means that on the larger files we need to very aggressively optimize the CSS size by rewriting extensively which is a) computationally expensive, b) tends to break things in unexpected ways and c) means we're dropping /*! comments containing rights info which puts us out of license compliance. Increasing the limit to 100K would make all those issues go away for many publishers who are converting existing templates.

Here is an example page that's right up against the current limit https://cdn.relaymedia.com/amp/www.niemanlab.org/2016/08/that-friends-and-family-facebook-algorithm-change-doesnt-seem-to-be-hurting-traffic-to-news-sites/

Let me start by saying that I know if an ad is not in view, no ad loads, and there's no fallback that the ad space will collapse. But we have the need to run blank ads for reporting and for ad bundle purchasing and we need these blank ads to collapse the ad space. So then I recently learned of the context.noContentAvailable() function which collapses the ad space but kills the content of the iframe which doesn't allow the impression to load so there is no tracking. So how can I kill the ad space but still have an impression load. I'm trying to specifically solve for the "sticky" ad space, but my question applies to any ad space. I have also tried window.context.requestResize(0,0); but it wasn't executing (and strangely I wasn't seeing the onResizeSuccess or onResizeDenied listeners fire).

Here's a test url where currently I am using context.noContentAvailable(). You can see the view?xai=... in the network tab is cancelled - that's the impression failing to load. http://www.cbsnews.com/amp/news/james-comey-fired-fbi-director-in-2014-60-minutes/?adNetwork=7336&adtargeting_campaign=sticky_7336

Some restrictions have to be preserved, but most can be dropped at this time, I believe.

Some considerations:

1. !important should be prohibited as with stylesheets (should be done already for SVG).
2. url() values (e.g. for background-image, etc) should be rewritable by cache (should be done already for SVG).
3. The only allowed values of position are static, relative (and absolute?).
4. Based on some future optimizations we want to do, we should probably also disallow top:X, left:X, right:X, bottom:X. Though we may be able to remove this restriction.
5. SSR should be able to work with publisher-authored style attributes.

The only real restrictions comparing to the current state of things are position and top/bottom/etc restrictions. The question is whether, given these restrictions, this is still a good idea to implement.

/cc @Gregable @honeybadgerdontcare @jpettitt

Overview

A new <amp-consent> component that enables publisher to get consents from readers and manage their consents.

Format

<amp-consent>
   <script type='application/json'>{
     “consents”: {
        “consentInstanceABC”: {
           “checkConsentHref”: “endpointABC.com”,
           “promptUI”: “template1”
         },
        “consentInstanceDEF”: {
           “checkConsentHref”: “endpointDEF.com”,
           “promptUI”: “template2”
         }
      },
     “policy”: {
         “policyABC”: {
             “waitFor”: {
                “consentInstanceABC”: [],
              }
           }
     }
   }</script>
   <div id=”template1”>
     Collect consent for instance ABC
     <button on="tap:consentInstanceABC.dismiss">Dismiss</button>
     <button on="tap:consentInstanceABC.accept">Accept</button>
     <button on="tap:consentInstanceABC.decline">Decline</button>
   </div>
   <div id=”template2”>
     Can we use your cookie?
     <button on="tap:consentInstanceDEF.accept">Accept</button>
   </div>
 </amp-consent>

Consent instance

config

Each unique consent instance keeps a list of endpoints to get and update consent states. Initially, the configuration is simple:

• checkConsentHref: An endpoint to use to check the consent status
• promptUI: An ID corresponding to the UI container to display that's meant to collect this consent.

In the future, configuration options may be expanded for more functionality:

{
  checkConsentHref: (required)
  promptUI: (required)
  disableLocalStorage: (optional) true/false. Default to false - controls whether state does not get kept in local storage (see below)
  acceptHref: (optional) - an endpoint that is requested when the consent is accepted
  rejectHref: (optional) - an endpoint that is requested when the consent is rejected
  dismissHref: (optional) -  - an endpoint that is requested when the consent is dimissed
}

checkConsentHref

Request

Make a POST request:

{
  consentInstanceId // string for the consent ID being asked about
}

In the future, this may be expanded to include:

{
  consentInstanceId // string for the consent ID being asked about
  ampUserId // For server to identify the user
  timestamp // value stored on client side, can be empty
}

Response

Expect a response with an boolean value:

{
  'promptIfUnknown': boolean (true/false)
}

Consent Policy

A default consent policy will be auto generated to wait for every consent instance. One can overwrite the default consent policy by declaring a new consent policy instance with id "default". Or add other consent policy instances to the <amp-consent> config.

Consent Policy Instance Config

Each unique consent policy instance creates a consent blocking behavior unit that instruct other components on the page. It keeps a list of consent instances to wait for. Initially, the configuration is simple:

• waitFor: A JSON object that declare the list of consents to wait.

'waitFor': {
  'ABC': [] // Only empty array accept now.  
}

In the future, configuration options may be expanded for more functionality:

{
  'waitFor': {
    'consentId': [] // Array of items that's associated with that consent instance
  }
  'timeout': timeout in case user never respond
}

Storage

All consent instance state will be stored and handled client side. For each consent instance. LocalStorage looks like

• Key: amp-consent:${consentInstanceId}
• Value: true/false (won’t store anything for unknown state)

Blocking Components

Use data-block-on-consent=consent-policy-id to block AMP components with consents. If no consent-policy-id is specified, "default" consent policy instance will be used.

Individual AMP component can override default blocking behaviors and implement blocking logic itself.

UI

UI Restrictions

Prompt UI

• Only a single UI can be shown at a time.
• Position fixed and stick to the bottom of the page

Revocation button

• Will only be displayed after consent state is determined
• Can overlap when there are multiple consent instances.

Text

• All text will be static inlined. No template replacing will be supported

Revocation Button Design

Coming soon, we will support the ability to specify a UI container that will be displayed once the prompt has been handled. This can be used optionally to enable a persistent UI affordance to be displayed that allows the end user to revoke their previous choice and pick a new choice.

Feature description:

Support element-level infinite scroll, such that when the user reaches the end of a list of items (search results, product cards, etc), a call can be made to an arbitrary endpoint to populate the list with more items. For the best user experience, users should never see a loading spinner, but instead should either be presented with already-loaded results, or a button to tap to load more.

Update

This feature is available for origin trial per https://github.com/ampproject/amphtml/pull/20592 as of release https://github.com/ampproject/amphtml/issues/20587.

Related demos

Basic demos https://amp-infinite-scroll.glitch.me/ https://amp-infinite-scroll.glitch.me/flex.html Pretty Demo TODO: Add animation (slide up / slide in / fade in) TODO: Variable heights Example with a finite number of pages https://amp-infinite-scroll.glitch.me/finite.html Example with bad URL https://amp-infinite-scroll.glitch.me/bad-url.html Example with slow loading URL https://amp-infinite-scroll.glitch.me/latency.html Use Slow 3G network tab option or 2g poor on any of the examples Manual load more Example with finite number of pages https://amp-infinite-scroll.glitch.me/finite-2.html Example with bad URL https://amp-infinite-scroll.glitch.me/bad-url-2.html Example with slow loading URL https://amp-infinite-scroll.glitch.me/latency-2.html

Related issues

#19502

Related PRs

https://github.com/ampproject/amphtml/pull/19519 https://github.com/ampproject/amphtml/pull/19399

What's the issue?

We need to perform over 50 expressions in unique AMP page, how can we do it?

How do we reproduce the issue?

Below a demo AMP product page with the errors. https://www.giglio.com/borse-donna_borsa-mano-borsa-petite-2-jours-piccola-con-barra-metallica-logo-inciso-fendi-8bh2533wl.html?cSel=027&AAMMPP

What browsers are affected?

All browsers

Which AMP version is affected?

V0

This PR contains the following updates:

| Package | Change | Package file | |---|---|---| | json5 | 1.0.1 -> 1.0.2 | package.json | | json5 | 2.2.0 -> 2.2.2 | package.json |

See all other Renovate PRs on the Dependency Dashboard

# Check out the PR branch
git checkout -b renovate/npm-json5-vulnerability main
git pull https://github.com/ampproject/amphtml.git renovate/npm-json5-vulnerability

# Directly make fixes and commit them
amp lint --fix # For lint errors in JS files
amp prettify --fix # For prettier errors in non-JS files
# Edit source code in case of new compiler warnings / errors

# Push the changes to the branch
git push [email protected]:ampproject/amphtml.git renovate/npm-json5-vulnerability:renovate/npm-json5-vulnerability

GitHub Vulnerability Alerts

CVE-2022-46175

The parse method of the JSON5 library before and including version 2.2.1 does not restrict parsing of keys named __proto__, allowing specially crafted strings to pollute the prototype of the resulting object.

This vulnerability pollutes the prototype of the object returned by JSON5.parse and not the global Object prototype, which is the commonly understood definition of Prototype Pollution. However, polluting the prototype of a single object can have significant security impact for an application if the object is later used in trusted operations.

Impact

This vulnerability could allow an attacker to set arbitrary and unexpected keys on the object returned from JSON5.parse. The actual impact will depend on how applications utilize the returned object and how they filter unwanted keys, but could include denial of service, cross-site scripting, elevation of privilege, and in extreme cases, remote code execution.

Mitigation

This vulnerability is patched in json5 v2.2.2 and later. A patch has also been backported for json5 v1 in versions v1.0.2 and later.

Details

Suppose a developer wants to allow users and admins to perform some risky operation, but they want to restrict what non-admins can do. To accomplish this, they accept a JSON blob from the user, parse it using JSON5.parse, confirm that the provided data does not set some sensitive keys, and then performs the risky operation using the validated data:

const JSON5 = require('json5');

const doSomethingDangerous = (props) => {
 if (props.isAdmin) {
 console.log('Doing dangerous thing as admin.');
 } else {
 console.log('Doing dangerous thing as user.');

 }
};

const secCheckKeysSet = (obj, searchKeys) => {
 let searchKeyFound = false;
 Object.keys(obj).forEach((key) => {
 if (searchKeys.indexOf(key) > -1) {
 searchKeyFound = true;
 }
 });
 return searchKeyFound;
};

const props = JSON5.parse('{\"foo\": \"bar\"}');
if (!secCheckKeysSet(props, ['isAdmin', 'isMod'])) {
 doSomethingDangerous(props); // \"Doing dangerous thing as user.\"
} else {
 throw new Error('Forbidden...');
}

If an attacker attempts to set the isAdmin key, their request will be rejected:

const props = JSON5.parse('{\"foo\": \"bar\", \"isAdmin\": true}');
if (!secCheckKeysSet(props, ['isAdmin', 'isMod'])) {
doSomethingDangerous(props);
} else {
 throw new Error('Forbidden...'); // Error: Forbidden...
}

However, attackers can instead set the __proto__ key to {\"isAdmin\": true}. JSON5 will parse this key and will set the isAdmin key on the prototype of the returned object, allowing the attacker to bypass the security check and run their request as an admin:

const props = JSON5.parse('{\"foo\": \"bar\", \"__proto__\": {\"isAdmin\": true}}');
if (!secCheckKeysSet(props, ['isAdmin', 'isMod'])) {
 doSomethingDangerous(props); // \"Doing dangerous thing as admin.\"
} else {
 throw new Error('Forbidden...');
}

Configuration

📅 Schedule: Branch creation - "" in timezone America/Los_Angeles, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

• [ ] If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

Issue (P0 Bug)

#38552

Pull Request(s)

#38604

AMP Version(s)

2212151632001

Channels

Beta / Experimental

Formats

Stories

Justification

Currently XDomain ads are not clickable on stories, which can affect monetization options for story publishers that get served with 3P ads. This can be categorized as:

• cause an outage or critical production issue
• cause a significant harm to AMP's reputation if left unresolved

Verification Steps

Trigger a XDomain ad (eg: here) and click on it. It should open the ad website.

Summary

XDomain story ads are not clickable due to another fix not being tested on XDomain ads. We didn't have example/amp-story websites to test locally with XDomain ads so we should add an example for XDomain ads if possible (added this as action item). Xdomain ads get renders differently from 1P ads, which contributed to the difficulty of testing this behavior in the repo.

Impact

No response

Action Items

• Add XDomain ad story in examples/amp-story
• If possible, write integration test with XDomain ad clicked

Notifications

/cc @ampproject/release-on-duty @ampproject/wg-approvers @ampproject/cherry-pick-approvers

Tests started failing on main after bazel released a new stable version. We should either

• fix tests to use bazel v6
• install bazel v5

logs from https://app.circleci.com/pipelines/github/ampproject/amphtml/26724/workflows/5c629962-c3da-49fa-9d79-e4eb8bdb3021/jobs/558498

validator-tests.js Running amp validator-cpp...
[16:24:35] Using task file project/amp.js
[16:24:35] Starting 'validator-cpp'...
Extracting Bazel installation...
Starting local Bazel server and connecting to it...
INFO: Elapsed time: 6.456s
INFO: 0 processes.

Exited with code exit status 1

related - https://github.com/ampproject/amphtml/pull/38608 cc/ @ampproject/wg-caching

Time: 16:30 UTC (add to Google Calendar) Location: Video conference via Google Meet

The AMP community holds weekly engineering design reviews. We encourage everyone in the community to participate in these design reviews.

If you are interested in bringing your design to design review, read the design review documentation and add a link to your design doc or issue by the Monday before your design review.

When attending a design review please read through the designs before the design review starts. This allows us to spend more time on discussion of the design.

We rotate our design review between times that work better for different parts of the world as described in our design review documentation, but you are welcome to attend any design review. If you cannot make any of the design reviews but have a design to discuss please let us know in the #contributing channel on Slack and we will find a time that works for you.

Description

On this page: https://amp.dev/documentation/guides-and-tutorials/start/converting/building-page - the javascript that is displayed and to be copied <script async custom-element="amp-script" src="https://cdn.ampproject.org/v0.js"></script> is incorrect ans should be <script async custom-element="amp-script" src="https://cdn.ampproject.org/v0/amp-script-0.1.js"></script>. Very minor. But For Newbs such as me, it was a little confusing that I was getting errors when there should be none.

Reproduction Steps

Go to this page: https://amp.dev/documentation/guides-and-tutorials/start/converting/building-page and follow the instructions. You will produce errors because the link to the current CDN javascript is incorrect.

Relevant Logs

No response

Browser(s) Affected

Chrome

OS(s) Affected

No response

Device(s) Affected

No response

AMP Version Affected

2212271632