Stay organized with collections
Save and categorize content based on your preferences.
To protect users from being served malicious HTML or JavaScript, Apps Script
uses iframes to sandbox HTML-service web apps or custom user
interfaces for Google Docs, Sheets, and Forms. (The HTML service does not use a
sandbox in other situations, like generating the body of an email.) The sandbox
imposes limitations on client-side code.
Sandbox Mode
All sandbox modes are now sunset except for IFRAME. Apps using older sandbox
modes now use the newer IFRAME mode automatically. If you have scripts that
were developed using the older modes (NATIVE and EMULATED), you should
follow the migration instructions to ensure
they function properly under the IFRAME mode.
The setSandboxMode
method now has no effect when called.
Restrictions in IFRAME mode
The IFRAME sandbox mode is based on the
iframe sandboxing feature
in HTML5, using the following keywords:
The allow-top-navigation keyword, which allows the content to navigate its
top-level browsing context, is restricted and not set as an attribute in the
sandbox. If you need to redirect your script, add a link or a button for the
user to take action on instead.
Setting the link target attribute
In the IFRAME mode you need to set the link target attribute to either
_top or _blank:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Missing the information I need","missingTheInformationINeed","thumb-down"],["Too complicated / too many steps","tooComplicatedTooManySteps","thumb-down"],["Out of date","outOfDate","thumb-down"],["Samples / code issue","samplesCodeIssue","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-18 UTC."],[[["\u003cp\u003eApps Script utilizes iframes to sandbox HTML service web apps and custom interfaces for Google products, protecting users from malicious code.\u003c/p\u003e\n"],["\u003cp\u003eAll sandbox modes except \u003ccode\u003eIFRAME\u003c/code\u003e are sunset; existing scripts using older modes automatically transition to \u003ccode\u003eIFRAME\u003c/code\u003e, and developers should migrate their code accordingly.\u003c/p\u003e\n"],["\u003cp\u003eThe \u003ccode\u003eIFRAME\u003c/code\u003e sandbox mode, based on HTML5 iframe sandboxing, imposes limitations on client-side code with specific allowances and restrictions.\u003c/p\u003e\n"],["\u003cp\u003eTo redirect users in \u003ccode\u003eIFRAME\u003c/code\u003e mode, use links or buttons with \u003ccode\u003etarget="_top"\u003c/code\u003e or \u003ccode\u003e_blank"\u003c/code\u003e or utilize the \u003ccode\u003e<base>\u003c/code\u003e tag to override this behavior.\u003c/p\u003e\n"],["\u003cp\u003eActive content like scripts and external stylesheets within the sandboxed environment must be loaded over HTTPS to ensure security.\u003c/p\u003e\n"]]],[],null,["# HTML Service: Restrictions\n\nTo protect users from being served malicious HTML or JavaScript, Apps Script\nuses iframes to sandbox HTML-service web apps or custom user\ninterfaces for Google Docs, Sheets, and Forms. (The HTML service does not use a\nsandbox in other situations, like generating the body of an email.) The sandbox\nimposes limitations on client-side code.\n\nSandbox Mode\n------------\n\nAll sandbox modes are now sunset except for `IFRAME`. Apps using older sandbox\nmodes now use the newer `IFRAME` mode automatically. If you have scripts that\nwere developed using the older modes (`NATIVE` and `EMULATED`), you should\nfollow the [migration instructions](/apps-script/migration/iframe) to ensure\nthey function properly under the `IFRAME` mode.\n\nThe [`setSandboxMode`](/apps-script/reference/html/html-output#setSandboxMode(SandboxMode))\nmethod now has no effect when called.\n\nRestrictions in IFRAME mode\n---------------------------\n\nThe `IFRAME` sandbox mode is based on the\n[iframe sandboxing](https://html.spec.whatwg.org/#attr-iframe-sandbox) feature\nin HTML5, using the following keywords:\n\n- `allow-same-origin`\n- `allow-forms`\n- `allow-scripts`\n- `allow-popups`\n- `allow-downloads`\n- `allow-modals`\n- `allow-popups-to-escape-sandbox`\n- `allow-top-navigation-by-user-activation` - This attribute is only set for [stand-alone script projects](/apps-script/guides/standalone).\n\nThe `allow-top-navigation` keyword, which allows the content to navigate its\ntop-level browsing context, is restricted and not set as an attribute in the\nsandbox. If you need to redirect your script, add a link or a button for the\nuser to take action on instead.\n\n### Setting the link target attribute\n\nIn the `IFRAME` mode you need to set the link target attribute to either\n`_top` or `_blank`: \n\n### Code.js\n\n function doGet() {\n var template = HtmlService.createTemplateFromFile('top');\n return template.evaluate().setSandboxMode(HtmlService.SandboxMode.IFRAME);\n }\n\n### top.html\n\n \u003c!DOCTYPE html\u003e\n \u003chtml\u003e\n \u003cbody\u003e\n \u003cdiv\u003e\n \u003ca href=\"http://google.com\" target=\"_top\"\u003eClick Me!\u003c/a\u003e\n \u003c/div\u003e\n \u003c/body\u003e\n \u003c/html\u003e\n\nYou can also override this attribute using the `\u003cbase\u003e` tag within the head\nsection of the enclosing web page: \n\n \u003c!DOCTYPE html\u003e\n \u003chtml\u003e\n \u003chead\u003e\n \u003cbase target=\"_top\"\u003e\n \u003c/head\u003e\n \u003cbody\u003e\n \u003cdiv\u003e\n \u003ca href=\"http://google.com\"\u003eClick Me!\u003c/a\u003e\n \u003c/div\u003e\n \u003c/body\u003e\n \u003c/html\u003e\n\n### HTTPS required for active content\n\n[\"Active\" content](https://developer.mozilla.org/en-US/docs/Security/MixedContent#Mixed_active_content)\nlike scripts, external stylesheets, and XmlHttpRequests must be loaded over\nHTTPS, not HTTP."]]
