Search code examples
google-apps-scriptx-frame-options

X-Frame-Options not set in Google Apps Script

I am using the following code in my doGet() to prevent X-Frame-Options from being sameorigin but it does not affect the headers in the final script.

function doGet(e) {
  page_titles = {
    "Setup": "title1",
    //....
  }
  if (!e.parameter.page) {
    // When no specific page requested, return "home page"
    var homepage = "Setup";
    var html = HtmlService.createTemplateFromFile(homepage).evaluate();
    html.setXFrameOptionsMode(HtmlService.XFrameOptionsMode.ALLOWALL);
    html.setTitle(titles[homepage]);
    return html;
  }
  //...
}

X-Frame-Options: SAMEORIGIN

Solution

  • Looking bugs/issues in the Issue Tracker, found this comment (for the exact same issue)

    The explanation: URL to the script must end in /exec and not /dev.