The documentation for amp-email "security requirements" states:
All responses must echo the origin and __amp_source_origin values from above if they are valid:
Access-Control-Allow-Origin: https://amp.gmail.dev
AMP-Access-Control-Allow-Source-Origin: amp@gmail.dev
Access-Control-Allow-Source-Origin: AMP-Access-Control-Allow-Source-Origin
If the response doesn't contain these values, the CORS request fail, resulting in a browser console warning message.
I am testing the use of amp-list in the playground, and my response contains these headers. However, the data does not appear, and in the console I get the following error: Request xhr failed: The amp-access-control-allow-source-origin must be equal to the amp source origin sent in the request. The amp_source_origin provided in the request is amp@gmail.dev as expected.
Here is a copy of the relevant response headers I return:
Access-Control-Allow-Origin: https://amp.gmail.dev
Access-Control-Allow-Source-Origin: AMP-Access-Control-Allow-Source-Origin
Amp-Access-Control-Allow-Source-Origin: amp@gmail.dev
Is there some additional header I need to provide?
The correct headers for CORS in the Gmail AMP Playground are the following:
Access-Control-Allow-Origin: https://amp.gmail.dev
AMP-Access-Control-Allow-Source-Origin: amp@gmail.dev
Access-Control-Expose-Headers: AMP-Access-Control-Allow-Source-Origin
Gmail's documentation originally had an error where Access-Control-Allow-Source-Origin was incorrectly used instead of Access-Control-Expose-Headers, but this is now fixed.