AI-generated Key Takeaways
-
XFrameOptionsMode is an enum used for client-side HtmlService scripts to represent X-Frame-Options modes.
-
These modes can be accessed via HtmlService.XFrameOptionsMode and set using HtmlOutput.setXFrameOptionsMode(mode).
-
Setting XFrameOptionsMode.ALLOWALL allows any site to iframe the page, requiring the developer to implement clickjacking protection.
-
The default X-Frame-Options mode used by Apps Script if none is set is DEFAULT.
An enum representing the X-Frame-Options modes that can be used for client-side Html scripts. These values can be accessed from Html,
and set by calling Html.
To call an enum, you call its parent class, name, and property. For example,
HtmlService.XFrameOptionsMode.ALLOWALL.
Setting XFrameOptionsMode.ALLOWALL will let any site iframe the page, so the developer
should implement their own protection against clickjacking.
If a script does not set an X-Frame-Options mode, Apps Script uses DEFAULT
mode as the default.
// Serve HTML with no X-Frame-Options header (in Apps Script server-side code). const output = HtmlService.createHtmlOutput('<b>Hello, world!</b>'); output.setXFrameOptionsMode(HtmlService.XFrameOptionsMode.ALLOWALL);
Properties
| Property | Type | Description |
|---|---|---|
ALLOWALL | Enum | No X-Frame-Options header will be set. This will let any site iframe the page, so the
developer should implement their own protection against clickjacking. |
DEFAULT | Enum | Sets the default value for the X-Frame-Options header, which preserves normal security
assumptions. If a script does not set an X-Frame-Options mode, Apps Script uses this
mode as the default. |