Do not include __amp_source_origin parameter on fetch requests if requireAmpResponseSourceOrigin is false/missing

[keithwrightbos]

Short description of your issue:

A4A uses fetchJson to retrieve the public key sets for crypto validation without requireAmpResponseSourceOrigin as an init property. This prevents network level caching across publisher pages.

How do we reproduce the issue?

Enable A4A via exp=a4a:-1

What browsers are affected?

All

Which AMP version is affected?

All

Suggested solution

Recommend either not including __amp_source_origin if requireAmpResponseSourceOrigin is not true or adding new parameter that allows for forceably not including

[lannka]

requireAmpResponseSourceOrigin was introduced for backward compatibility. And we cannot change its behavior because servers might be expecting the URL param.

We might need an extra boolean, such as ampCors = false, to completely turn off AmpCors (no __amp_source_origin in URL).

@cramforce

[cramforce]

Yes, I see the valid use case, but this should be extremely explicit as the vast majority of CORS use cases does want to check.

Worth checking if you will get caching with a * response as the origin whitelist. Browsers might still not do it.