How do i allow embedding google script on specific domains

Question

 function doGet() {
    return HtmlService.createTemplateFromFile('form.html')
        .evaluate() // evaluate MUST come before setting the Sandbox mode
        .setXFrameOptionsMode(HtmlService.XFrameOptionsMode.ALLOWALL);
}

The above is code from my Google script app. The code above allows embedding my script on all domains. What if i want to allow embedding the code only by specified domains, how would i edit the code

Is this what you are looking for: https://developers.google.com/apps-script/manifest/allowlist-url Another option would be to generate a whitelist yourself, query the url and proceed accordingly. — Ferris, May 01 '23 at 13:55

TheMaster · Answer 1 · 2023-05-01T15:50:29.387

0

There is no option in apps script to allow "only" certain domains. You may request this feature here.

You may also use client side JavaScript on chromium based browsers

//@see https://stackoverflow.com/questions/63551837/where-is-my-iframe-in-the-published-web-application-sidebar
const firstFrameLocation = window.parent.parent?.parent?.location?.ancestorOrigins?.[0];
if(!firstFrameLocation){
  //Firefox or not framed
  //Provide default user interface
}
if(firstFrameLocation.includes("example.com")){
  //Chromium based 
  //@see https://stackoverflow.com/questions/26046030/change-window-location-ancestororigins
}

edited May 01 '23 at 15:50

answered May 01 '23 at 15:13

TheMaster

45,448
6
62
85

If there is no anyway, is there a walk around, for example where i can prevent to run certain portion of google code is iframe host domain is not "var1". When i try to retrieve windows, referrer, and other normal code it does not capture the url. – Seal Sealt May 01 '23 at 15:31
@SealSealt I don't think it is possible in all browsers due to [tag:cors]/[tag:same-origin-policy]. The read call to `location.href` will be blocked in most browsers. If it works, this is the code: `if(window.parent.parent.parent.location.href.includes("example.com")){}`(Note that 3 parents are necessary to access the framer). However, you may have luck with chromium based browsers using `location.ancestorOrigins`(which leaves this in place for it's own advertising/tracking purposes) – TheMaster May 01 '23 at 15:37
I tried that several times before but it did not work. window is not defined it says – Seal Sealt May 01 '23 at 15:43
@SealSealt That should be a new question with [mcve]. For this, I edited my answer. – TheMaster May 01 '23 at 15:50

How do i allow embedding google script on specific domains

1 Answers1