To call an enum, you call its parent class, name, and property. For example,
HtmlService.XFrameOptionsMode.ALLOWALL.
Setting XFrameOptionsMode.ALLOWALL will let any site iframe the page, so the developer
should implement their own protection against clickjacking.
If a script does not set an X-Frame-Options mode, Apps Script uses DEFAULT
mode as the default.
// Serve HTML with no X-Frame-Options header (in Apps Script server-side code).constoutput=HtmlService.createHtmlOutput('<b>Hello, world!</b>');output.setXFrameOptionsMode(HtmlService.XFrameOptionsMode.ALLOWALL);
Properties
Property
Type
Description
ALLOWALL
Enum
No X-Frame-Options header will be set. This will let any site iframe the page, so the
developer should implement their own protection against clickjacking.
DEFAULT
Enum
Sets the default value for the X-Frame-Options header, which preserves normal security
assumptions. If a script does not set an X-Frame-Options mode, Apps Script uses this
mode as the default.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Missing the information I need","missingTheInformationINeed","thumb-down"],["Too complicated / too many steps","tooComplicatedTooManySteps","thumb-down"],["Out of date","outOfDate","thumb-down"],["Samples / code issue","samplesCodeIssue","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2024-12-02 UTC."],[[["\u003cp\u003e\u003ccode\u003eXFrameOptionsMode\u003c/code\u003e is used to control how a client-side Apps Script HTML service can be embedded in iframes by other websites.\u003c/p\u003e\n"],["\u003cp\u003e\u003ccode\u003eALLOWALL\u003c/code\u003e permits any website to embed the page in an iframe while \u003ccode\u003eDEFAULT\u003c/code\u003e preserves the standard security behavior.\u003c/p\u003e\n"],["\u003cp\u003eIf you select \u003ccode\u003eALLOWALL\u003c/code\u003e, ensure to incorporate your own security measures against clickjacking.\u003c/p\u003e\n"],["\u003cp\u003eBy default, if \u003ccode\u003eX-Frame-Options\u003c/code\u003e mode isn't specifically set, Apps Script automatically applies the \u003ccode\u003eDEFAULT\u003c/code\u003e mode.\u003c/p\u003e\n"]]],["`XFrameOptionsMode` is an enum for setting `X-Frame-Options` in client-side HtmlService scripts. Accessed via `HtmlService.XFrameOptionsMode`, it's set using `HtmlOutput.setXFrameOptionsMode(mode)`. `ALLOWALL` removes the `X-Frame-Options` header, enabling any site to iframe the page, necessitating developer-implemented clickjacking protection. `DEFAULT` is the default mode if no mode is specified. The example shows how to set the mode to `ALLOWALL`.\n"],null,["XFrameOptionsMode\n\nAn enum representing the `X-Frame-Options` modes that can be used for client-side [HtmlService](/apps-script/reference/html/html-service) scripts. These values can be accessed from [HtmlService.XFrameOptionsMode](/apps-script/reference/html/html-service#XFrameOptionsMode),\nand set by calling [HtmlOutput.setXFrameOptionsMode(mode)](/apps-script/reference/html/html-output#setXFrameOptionsMode(XFrameOptionsMode)).\n\nTo call an enum, you call its parent class, name, and property. For example, `\nHtmlService.XFrameOptionsMode.ALLOWALL`.\n\nSetting `XFrameOptionsMode.ALLOWALL` will let any site iframe the page, so the developer\nshould implement their own protection against clickjacking.\n\nIf a script does not set an `X-Frame-Options` mode, Apps Script uses `DEFAULT`\nmode as the default.\n\n```javascript\n// Serve HTML with no X-Frame-Options header (in Apps Script server-side code).\nconst output = HtmlService.createHtmlOutput('\u003cb\u003eHello, world!\u003c/b\u003e');\noutput.setXFrameOptionsMode(HtmlService.XFrameOptionsMode.ALLOWALL);\n``` \n\nProperties\n\n| Property | Type | Description |\n|------------|--------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|\n| `ALLOWALL` | `Enum` | No `X-Frame-Options` header will be set. This will let any site iframe the page, so the developer should implement their own protection against clickjacking. |\n| `DEFAULT` | `Enum` | Sets the default value for the `X-Frame-Options` header, which preserves normal security assumptions. If a script does not set an `X-Frame-Options` mode, Apps Script uses this mode as the default. |"]]
