Enum XFrameOptionsMode

  • XFrameOptionsMode is used to control how a client-side Apps Script HTML service can be embedded in iframes by other websites.

  • ALLOWALL permits any website to embed the page in an iframe while DEFAULT preserves the standard security behavior.

  • If you select ALLOWALL, ensure to incorporate your own security measures against clickjacking.

  • By default, if X-Frame-Options mode isn't specifically set, Apps Script automatically applies the DEFAULT mode.
XFrameOptionsMode

An enum representing the X-Frame-Options modes that can be used for client-side HtmlService scripts. These values can be accessed from HtmlService.XFrameOptionsMode, and set by calling HtmlOutput.setXFrameOptionsMode(mode).

To call an enum, you call its parent class, name, and property. For example, HtmlService.XFrameOptionsMode.ALLOWALL.

Setting XFrameOptionsMode.ALLOWALL will let any site iframe the page, so the developer should implement their own protection against clickjacking.

If a script does not set an X-Frame-Options mode, Apps Script uses DEFAULT mode as the default. 

// Serve HTML with no X-Frame-Options header (in Apps Script server-side code).
const output = HtmlService.createHtmlOutput('<b>Hello, world!</b>');
output.setXFrameOptionsMode(HtmlService.XFrameOptionsMode.ALLOWALL);

Properties

PropertyTypeDescription
ALLOWALLEnumNo X-Frame-Options header will be set. This will let any site iframe the page, so the developer should implement their own protection against clickjacking.
DEFAULTEnumSets the default value for the X-Frame-Options header, which preserves normal security assumptions. If a script does not set an X-Frame-Options mode, Apps Script uses this mode as the default.