Stay organized with collections Save and categorize content based on your preferences.
To protect users from being served malicious HTML or JavaScript, Apps Script uses iframes to sandbox HTML-service web apps or custom user interfaces for Google Docs, Sheets, and Forms. (The HTML service does not use a sandbox in other situations, like generating the body of an email.) The sandbox imposes limitations on client-side code.
Sandbox ModeAll sandbox modes are now sunset except for IFRAME. Apps using older sandbox modes now use the newer IFRAME mode automatically. If you have scripts that were developed using the older modes (NATIVE and EMULATED), you should follow the migration instructions to ensure they function properly under the IFRAME mode.
The setSandboxMode method now has no effect when called.
The IFRAME sandbox mode is based on the iframe sandboxing feature in HTML5, using the following keywords:
allow-same-originallow-formsallow-scriptsallow-popupsallow-downloadsallow-modalsallow-popups-to-escape-sandboxallow-top-navigation-by-user-activation - This attribute is only set for stand-alone script projects.The allow-top-navigation keyword, which allows the content to navigate its top-level browsing context, is restricted and not set as an attribute in the sandbox. If you need to redirect your script, add a link or a button for the user to take action on instead.
In the IFRAME mode you need to set the link target attribute to either _top or _blank:
function doGet() {
var template = HtmlService.createTemplateFromFile('top');
return template.evaluate().setSandboxMode(HtmlService.SandboxMode.IFRAME);
}
<!DOCTYPE html>
<html>
<body>
<div>
<a href="http://google.com" target="_top">Click Me!</a>
</div>
</body>
</html>
You can also override this attribute using the <base> tag within the head section of the enclosing web page:
<!DOCTYPE html>
<html>
<head>
<base target="_top">
</head>
<body>
<div>
<a href="http://google.com">Click Me!</a>
</div>
</body>
</html>
"Active" content like scripts, external stylesheets, and XmlHttpRequests must be loaded over HTTPS, not HTTP.
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-08-04 UTC.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Missing the information I need","missingTheInformationINeed","thumb-down"],["Too complicated / too many steps","tooComplicatedTooManySteps","thumb-down"],["Out of date","outOfDate","thumb-down"],["Samples / code issue","samplesCodeIssue","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-04 UTC."],[[["Apps Script utilizes iframes to sandbox HTML service web apps and custom interfaces for Google products, protecting users from malicious code."],["All sandbox modes except `IFRAME` are sunset; existing scripts using older modes automatically transition to `IFRAME`, and developers should migrate their code accordingly."],["The `IFRAME` sandbox mode, based on HTML5 iframe sandboxing, imposes limitations on client-side code with specific allowances and restrictions."],["To redirect users in `IFRAME` mode, use links or buttons with `target=\"_top\"` or `_blank\"` or utilize the `\u003cbase\u003e` tag to override this behavior."],["Active content like scripts and external stylesheets within the sandboxed environment must be loaded over HTTPS to ensure security."]]],[]]
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4