To protect users from being served malicious HTML or JavaScript, Apps Script uses iframes to sandbox HTML-service web apps or custom user interfaces for Google Docs, Sheets, and Forms. (The HTML service does not use a sandbox in other situations, like generating the body of an email.) The sandbox imposes limitations on client-side code.
Sandbox Mode
All sandbox modes are now sunset except for IFRAME. Apps using older sandbox
modes now use the newer IFRAME mode automatically. If you have scripts that
were developed using the older modes (NATIVE and EMULATED), you should
follow the migration instructions to ensure
they function properly under the IFRAME mode.
The setSandboxMode
method now has no effect when called.
Restrictions in IFRAME mode
The IFRAME sandbox mode is based on the
iframe sandboxing feature
in HTML5, using the allow-same-origin, allow-forms, allow-scripts, and
allow-popups keywords.
Setting the link target attribute
In the IFRAME mode you need to set the link target attribute to either
_top or _blank:
Code.js
function doGet() {
var template = HtmlService.createTemplateFromFile('top');
return template.evaluate().setSandboxMode(HtmlService.SandboxMode.IFRAME);
}
top.html
<!DOCTYPE html>
<html>
<body>
<div>
<a href="http://google.com" target="_top">Click Me!</a>
</div>
</body>
</html>
You can also override this attribute using the <base> tag within the head
section of the enclosing web page:
<!DOCTYPE html>
<html>
<head>
<base target="_top">
</head>
<body>
<div>
<a href="http://google.com">Click Me!</a>
</div>
</body>
</html>
HTTPS required for active content
"Active" content like scripts, external stylesheets, and XmlHttpRequests must be loaded over HTTPS, not HTTP.