HTML Service: Restrictions

  • Apps Script uses iframes to sandbox HTML-service web apps and custom user interfaces for security.

  • The only remaining sandbox mode isIFRAME; older modes are automatically migrated to this mode.

  • TheIFRAME sandbox mode restricts certain actions, such as top-level navigation, by using specific HTML5 iframe sandboxing attributes.

  • InIFRAME mode, link targets must be set to_top or_blank.

  • Active content inIFRAME mode, such as scripts and external stylesheets, must be loaded over HTTPS.

To protect users from being served malicious HTML or JavaScript, Apps Scriptuses iframes to sandbox HTML-service web apps or custom userinterfaces for Google Docs, Sheets, and Forms. (The HTML service does not use asandbox in other situations, like generating the body of an email.) The sandboximposes limitations on client-side code.

Sandbox Mode

All sandbox modes are now sunset except forIFRAME. Apps using older sandboxmodes now use the newerIFRAME mode automatically. If you have scripts thatwere developed using the older modes (NATIVE andEMULATED), you shouldfollow themigration instructions to ensurethey function properly under theIFRAME mode.

ThesetSandboxModemethod now has no effect when called.

Restrictions in IFRAME mode

TheIFRAME sandbox mode is based on theiframe sandboxing featurein HTML5, using the following keywords:

  • allow-same-origin
  • allow-forms
  • allow-scripts
  • allow-popups
  • allow-downloads
  • allow-modals
  • allow-popups-to-escape-sandbox
  • allow-top-navigation-by-user-activation - This attribute is only set forstand-alone script projects.

Theallow-top-navigation keyword, which allows the content to navigate itstop-level browsing context, is restricted and not set as an attribute in thesandbox. If you need to redirect your script, add a link or a button for theuser to take action on instead.

Setting the link target attribute

In theIFRAME mode you need to set the link target attribute to either_top or_blank:

Code.js

functiondoGet(){vartemplate=HtmlService.createTemplateFromFile('top');returntemplate.evaluate().setSandboxMode(HtmlService.SandboxMode.IFRAME);}

top.html

<!DOCTYPE html><html> <body>   <div>     <a href="http://google.com">Click Me!</a>   </div> </body></html>

You can also override this attribute using the<base> tag within the headsection of the enclosing web page:

<!DOCTYPE html><html>  <head>    <base>  </head>  <body>   <div>     <a href="http://google.com">Click Me!</a>   </div> </body></html>

HTTPS required for active content

"Active" contentlike scripts, external stylesheets, and XmlHttpRequests must be loaded overHTTPS, not HTTP.

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-12-11 UTC.