Enum XFrameOptionsMode
XFrameOptionsMode
An enum representing the X-Frame-Options modes that can be used for client-side HtmlService scripts. These values can be accessed from HtmlService.XFrameOptionsMode,
and set by calling HtmlOutput.setXFrameOptionsMode(mode).
To call an enum, you call its parent class, name, and property. For example,
HtmlService.XFrameOptionsMode.ALLOWALL.
Setting XFrameOptionsMode.ALLOWALL will let any site iframe the page, so the developer
should implement their own protection against clickjacking.
If a script does not set an X-Frame-Options mode, Apps Script uses DEFAULT
mode as the default.
// Serve HTML with no X-Frame-Options header (in Apps Script server-side code).
const output = HtmlService.createHtmlOutput('<b>Hello, world!</b>');
output.setXFrameOptionsMode(HtmlService.XFrameOptionsMode.ALLOWALL);
Properties
| Property | Type | Description |
ALLOWALL | Enum | No X-Frame-Options header will be set. This will let any site iframe the page, so the
developer should implement their own protection against clickjacking. |
DEFAULT | Enum | Sets the default value for the X-Frame-Options header, which preserves normal security
assumptions. If a script does not set an X-Frame-Options mode, Apps Script uses this
mode as the default. |
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2024-12-02 UTC.
[null,null,["Last updated 2024-12-02 UTC."],[[["`XFrameOptionsMode` is used to control how a client-side Apps Script HTML service can be embedded in iframes by other websites."],["`ALLOWALL` permits any website to embed the page in an iframe while `DEFAULT` preserves the standard security behavior."],["If you select `ALLOWALL`, ensure to incorporate your own security measures against clickjacking."],["By default, if `X-Frame-Options` mode isn't specifically set, Apps Script automatically applies the `DEFAULT` mode."]]],["`XFrameOptionsMode` is an enum for setting `X-Frame-Options` in client-side HtmlService scripts. Accessed via `HtmlService.XFrameOptionsMode`, it's set using `HtmlOutput.setXFrameOptionsMode(mode)`. `ALLOWALL` removes the `X-Frame-Options` header, enabling any site to iframe the page, necessitating developer-implemented clickjacking protection. `DEFAULT` is the default mode if no mode is specified. The example shows how to set the mode to `ALLOWALL`.\n"]]
