Amp-script in sandboxed mode still asks for CSP hash if src url is cross origin

[zshnr]

Description

Based on the I2I #30193, the sandboxed mode was introduced in as part of PR #33643. The idea behind sandboxed mode was putting the 3p script behind a sufficient enough security boundary and not requiring CSP hashes. This is important to us because our SDK updates in a similar manner to AMP. I.e. new builds replace old ones at the same URL.

However, while this works fine for scripts referenced from the filesystem or inline scripts, it does not seem to work for cross origin scripts.

The reason for this is a missing this.sandboxed_ check inside the fetchAuthorScript_ inside amp-script.js where we skip the CSP hash check for this.development_.

I wonder if this has been mistakenly omitted. If so, I am happy to create a PR for this.

Tagging @samouri who originally worked on PR #33643

Reproduction Steps

I'm not sure why I can't see the CSP hash error in console in AMP Playground

But essentially, if you were to add this to an AMP page:

<amp-script sandboxed src="https://cdnjs.cloudflare.com/ajax/libs/axios/0.24.0/axios.min.js"></amp-script>

You will see the CSP error. However, if you download and include the file from the filesystem. For e.g.

<amp-script sandboxed src="axios.min.js"></amp-script>

It will be fine without the CSP hash.

Please note that the axios script is not important, this is just an example of a publicly available script that I had at hand.

Relevant Logs

No response

Browser(s) Affected

Chrome, Edge

OS(s) Affected

No response

Device(s) Affected

No response

AMP Version Affected

2110082201001

[zshnr]

After talking with @samouri, I'll create a PR for this :)