2

I am running a Google Sheet on my Drive. From this Sheet I am scripting to load an iframe with an embedded, editable Google Form. I can achieve an embed with the Form's getpublishedURL but I want to display the Form's geteditURL.

The Form's geteditURL X-frame-options are set to SAMEORIGIN so I cannot just swap the "published" and "edit" urls and add the ?embedded=true flag to the geteditURL. Doesn't work.

I have submitted for verification to have oauth consent scope for /auth/drive which is described as allowing edit permissions for drive files. I used my sheet's URL as my "website" so they would really understand what I mean.

If my verification is approved, will this allow me to use the Form's geteditURL without further issue or will the X-frame-options issue persist?

Is there any other workaround?

I am not using a website for this app, at least for now. The idea for now is I could email this sheet to someone, let them save it to their own Google Drive folder. They would authorize the consent for the scripts to run on their own Drive, and that's it.

So 'technically' everything IS being run on the "SAMEORIGIN" but Google doesn't make it easy to allow their own tools to play together this way.

I understand why this is the way it is, but are there any workarounds for those of us without malicious intent or am I doing the right thing already by submitting for verification of the /auth/drive oauth scope?

Thank you!

I want to embed a Google form geteditURL into an iframe and work around the X-frame-options "SAMEORIGIN" limitation for editable forms.

Dave
  • 87
  • 1
  • 11
  • Possible duplicate of [Overcoming "Display forbidden by X-Frame-Options"](https://stackoverflow.com/questions/6666423/overcoming-display-forbidden-by-x-frame-options) – Randy Casburn May 26 '19 at 21:02
  • @RandyCasburn my question is unique because I am not creating a web page but rather a Google Sheet that spawns a Google Form. Mostly I want to know if requesting validation from Google to use the auth/drive consent scope will solve my problem, ie. will it allow me to use script to open and embed the editURL of my Forms and not just the publishedURL. Or am I wasting my time waiting for that? – Dave May 27 '19 at 02:44
  • Dave as much as you want to believe your situation is unique, it just isn't. The reason why is because this is happening inside a browser - regardless of the service, provider, app name or infrastructure. Your browser prevents content from different origins because it is told to prevent it with the X-FRAME-OPTIONS header. – Randy Casburn May 27 '19 at 02:52
  • Is this helpful? https://stackoverflow.com/questions/40842627/embedding-google-apps-script-in-an-iframe – Randy Casburn May 27 '19 at 03:08
  • Thanks, but yes I am already using the .allowAll command you referenced. – Dave May 28 '19 at 03:30
  • My situation changed slightly. Google responded to my oauth verification request and after some clarification they recommended I set up GSuite, an actual html page to host the Sheet, and then create an Organization where I have more control over the OAuth consent scopes. I did all this and indeed was able to enable all of the drive and docs and sheets edit scopes. So now I am trying to basically move all of js and html out of the sheet and figure out how to have the sheet make all external js and html calls. Then maybe I will "own the origin" as well as the edit scopes. – Dave May 28 '19 at 03:34
  • Mind you, these are all my docs and forms on my google drive, that I pay for via storage fees and Gsuite app costs. So I just don't get why they took this specific approach and made it so difficult to control my own content. What I am hoping is that I do not have to fully recreate a spreadsheet and forms front end to accomplish my goal. With all of the Google resources available to do this already it would just seem wasteful and stupid to reinvent the whole car. – Dave May 28 '19 at 03:37

0 Answers0