Enum SandboxMode

An enum representing the sandbox modes that can be used for client-side HtmlService scripts. These values can be accessed from HtmlService.SandboxMode.

To protect users from being served malicious HTML or JavaScript, client-side code served from HTML service executes in a security sandbox that imposes restrictions on the code. The method HtmlOutput.setSandboxMode(mode) allows script authors to choose between different versions of the sandbox. For more information, see the guide to restrictions in HTML service.

If a script does not set a sandbox mode, Apps Script uses NATIVE mode as the default. Prior to February 2014, the default was EMULATED. The default is subject to change.

The IFRAME mode imposes many fewer restrictions than the other sandbox modes and runs fastest, but does not work at all in certain older browsers, including Internet Explorer 9. By contrast, EMULATED mode is more likely to work in older browsers that do not support ECMAScript 5 strict mode, most notably Internet Explorer 9. NATIVE mode is the middle ground. If NATIVE mode is set but not supported in the user's browser, the sandbox mode falls back to EMULATED mode for that user.

 

 // Serve HTML with a defined sandbox mode (in Apps Script server-side code).
 var output = HtmlService.createHtmlOutput('<b>Hello, world!</b>');
 output.setSandboxMode(HtmlService.SandboxMode.IFRAME);

The sandbox mode can also be read in a client-side script by inspecting google.script.sandbox.mode. Note that this property returns the actual mode on the client, which may differ from the mode requested on the server if the requested mode is not supported in the user's browser.

 

 <!-- Read the sandbox mode (in a client-side script). -->
 <script>
   alert(google.script.sandbox.mode);
 </script>

Properties

Property	Type	Description
`EMULATED`	`Enum`	A legacy sandbox mode that emulates ECMAScript 5 strict mode using only the features available in ECMAScript 3. This mode was the default prior to February 2014. This mode is more likely than the `NATIVE` and `IFRAME` modes to work in older browsers that do not support ECMAScript 5 strict mode, most notably Internet Explorer 9. (Very old browsers, including Internet Explorer 8 and below, are usually incompatible with HTML service.) This mode imposes extra restrictions on what a script can do and generally runs more slowly than the `NATIVE` or `IFRAME` modes.
`IFRAME`	`Enum`	A sandbox mode that uses iframe sandboxing instead of the Caja sandbox technology used by the `EMULATED` and `NATIVE` modes. This mode imposes many fewer restrictions than the other sandbox modes and runs fastest, but does not work at all in certain older browsers, including Internet Explorer 9.
`NATIVE`	`Enum`	A sandbox mode that is built on top of ECMAScript 5 strict mode. This mode has been the default since February 2014. This mode imposes fewer restrictions than `EMULATED` mode and generally runs faster, but is more restrictive and slower than `IFRAME` mode. If this mode is set, certain older browsers — most notably Internet Explorer 9 — fall back to `EMULATED` mode on an individual basis. (Very old browsers, including Internet Explorer 8 and below, are usually incompatible with HTML service.)

Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 3.0 License, and code samples are licensed under the Apache 2.0 License. For details, see our Site Policies.

Last updated February 26, 2015.