Search code examples
google-apps-scriptmanifestgoogle-workspace-add-ons

An explicit urlFetchWhitelist is required for all Google Workspace add-ons using UrlFetchApp error while deploying sheet add on

I am trying to deploy a google sheet add on (private add on.) I am using moment js for calculating the date in my code.js file

My manifest looks like this

Manifest:
Manifest

When I go to deploy the add on I am getting the error

"An explicit urlFetchWhitelist is required for all Google Workspace add-ons using UrlFetchApp"

I went through the posts on stackoverflow for the same and i did three recommended changes

  1. Added "https://www.googleapis.com/auth/script.external_request", to my oauthScopes [didn't work]
  2. Installed a trigger and invoked the permission to fetch external request and it did not work.
  3. Finally i tried to add a method to invoke the trigger on open as per this link

Still I am getting the same error when I go and click on deploy add on

urlFetchWhitelist error:
urlFetchWhitelist error

Solution

  • Answer:

    You need to add a urlFetchWhitelist parameter to your manifest and include all urls that you wish to fetch in an array as its value.

    Example:

    Say you have the line:

    const res = UrlFetchApp.fetch("https://google.com")

    in your code.

    You will need to add this to the whitelist in the appsscript.json manifest file:

    urlFetchWhitelist: ["https://google.com/"]

    Things to note (from the documentation):

    • Each prefix must be a valid URL.
    • Each prefix must use https://, not http://.
    • Each prefix must have a full domain.
    • Each prefix must have a non-empty path. For example, https://www.google.com/ is valid but https://www.google.com is not.
    • You can use wildcards to match URL subdomain prefixes.
    • A single * wildcard can be used in the addOns.common.openLinkUrlPrefixes field to match all links, but this is not recommended as it can expose a user's data to risk and can prolong the add-on review process. Only use a wildcard if your add-on functionality requires it.

    Update 2022-01-13:

    As per information on this Issue Tracker report, only the domain/sub-domain needs to whitelisted for fetching.

    For example, whitelisting:

    "urlFetchWhitelist": ["https://myapp.com/"]

    Will allow UrlFetchApp to connect to paths on that domain:

    UrlFetchApp.fetch("https://myapp.com/getUser")

    References: