diff --git a/src/sanitizer.js b/src/sanitizer.js
index aa9a740c46cb..9e29dbe79250 100644
--- a/src/sanitizer.js
+++ b/src/sanitizer.js
@@ -20,6 +20,7 @@ import {
   isProxyOrigin,
   parseUrl,
   resolveRelativeUrl,
+  SOURCE_ORIGIN_PARAM,
 } from './url';
 import {parseSrcset} from './srcset';
 import {user} from './log';
@@ -286,6 +287,9 @@ function resolveAttrValue(tagName, attrName, attrValue) {
  * @private Visible for testing.
  */
 export function resolveUrlAttr(tagName, attrName, attrValue, windowLocation) {
+  user().assert(attrValue.indexOf(SOURCE_ORIGIN_PARAM) == -1,
+      'Source origin is not allowed in %s', attrValue);
+
   const isProxyHost = isProxyOrigin(windowLocation);
   const baseUrl = parseUrl(getSourceUrl(windowLocation));
 
diff --git a/src/url.js b/src/url.js
index b9f9badbcfe1..1a5343292edc 100644
--- a/src/url.js
+++ b/src/url.js
@@ -37,8 +37,8 @@ let cache;
 /** @private @const Matches amp_js_* paramters in query string. */
 const AMP_JS_PARAMS_REGEX = /[?&]amp_js[^&]*/;
 
-/** @private @const {string} */
-const SOURCE_ORIGIN_PARAM = '__amp_source_origin';
+/** @const {string} */
+export const SOURCE_ORIGIN_PARAM = '__amp_source_origin';
 
 /**
  * @typedef {({
diff --git a/test/functional/test-sanitizer.js b/test/functional/test-sanitizer.js
index c74da065b082..d17343dd0f38 100644
--- a/test/functional/test-sanitizer.js
+++ b/test/functional/test-sanitizer.js
@@ -133,6 +133,13 @@ describe('sanitizeHtml', () => {
 
 describe('resolveUrlAttr', () => {
 
+  it('should throw if __amp_source_origin is set', () => {
+    expect(() => resolveUrlAttr('a', 'href',
+        '/doc2?__amp_source_origin=https://google.com',
+        'http://acme.org/doc1'))
+            .to.throw(/Source origin is not allowed in/);
+  });
+
   it('should be called by sanitizer', () => {
     expect(sanitizeHtml('<a href="/path"></a>')).to.match(/http/);
     expect(sanitizeHtml('<amp-img src="/path"></amp-img>')).to.match(/http/);