Google-Apps-Script/Google-Drive cors issue - google-apps-script

I have created a Google Apps Script in Google Drive. Although the script was created in Drive, it has a URL that looks like:
https://script.google.com/macros/s/blah-blah-blah
As a result, attempts to stuff the output from the script into a web page hosted on Google Drive fail as an attempt to access a cross-origin resource. Any way I can get around this problem? Thanks for any input.
... doug

you could publish the gas as anonymous content script and use ajax to get the data (redirects enabled) and use regular client+side js to display it on your googledrive html page.
Maybe its not working because you havent published as anonymous?
Ive done ajax to a gas content script from a googledrive.com hosted page and it worked fine.

Related

GAS embedded in Google Site requests "insecure resource" whereas it worked before

I am using Google Apps Script's Visualization API to generate charts/tables and have about a dozen such scripts successfully embedded in Google Sites. Yesterday, I created a new script and tried to embed it into a Site by [Edit Page | Insert | Google: Apps Script] as usual. I received the following error seen in the Console:
Mixed Content: The page at
'https://sites.google.com/a/globalfoundries.com/aleister_projects/'
was loaded over HTTPS, but requested an insecure resource
'http://sites.google.com/a/globalfoundries.com/sites/system/errors/WebspaceNotFound?path=%2Fmacros%2Fs%2FAKfycbwuIGzoNErAzb2mqL5HRrVc6xeQTaavvycUXLhi1rSVSeF1ZUSM%2Fexec'.
This request has been blocked; the content must be served over HTTPS.
After some unsuccessful trouble-shooting with my new script, I attempted to embed a second copy of an existing script that I know has successfully generated a table into an existing Site directly below the existing copy of this script (see attached image). The result is that the original copy of the script that was embedded a few months ago renders fine, but the re-embedded copy inserted directly below it generates this error.
Is anyone having this issue? Has anyone seen this issue? Can anyone provide some insight? I'm not sure if there is some security change at my organization or if there is some Google-side update about which I am unaware. Thank you !
I had the same problem, and this is what I did to solve it:
I noticed that the format /exec link generated has changed.
Old format (supported in classic google site)
https://script.google.com/a/macros/your-domain.com/s/xxxxxxxxxxx_S61g09Dk/exec (macro was before the domain)
New Format (not supported in classic google site)
https://script.google.com/a/your-domain.com/macros/s/xxxxxxxxxxx_S61g09Dk/exec (macro is now after the domain)
Modifying the url after generation is the only solution I found. Hope this will help you.

Accessing web app developement URL from UrlFetch service

I'm trying to develop a simple web app using google script web app service and access it from another script using the UrlFetch service.
My problem is that in order to try the code on my web app I have to publish a new version every time because trying to access to the dev URL returns returns and HTML file telling me to sign in even though I've set the permissions for the web app to everyone, including anonymous (if I hit the production URL it does work, though).
I'm assuming that Google is limiting the access to the dev URL for security reasons but can someone shed a light on that assumption?
PS: I don't know if this is relevant but my google account is in a Google Apps for Education domain
Edit
I've found a method to avoid publishing the application for each code change: instead of calling it from the UrlFetch service, I've created a function in the web App code that does call the doPost or the doGet method (I've to create the request param, but that's easy) and I've changed the end of the script to log the result insted of returing it to the client. When the application will be ready, I can publish and develop the client using the UrlFetch.
Anyhow, if anyone knows about the limitation of the dev URL that would be great!
your assumption is correct, the dev url ignores your publishing permissions on purpose, only the developer has access to that url.
you could accomplish what you want using libraries. move the code in your called script to a library and add it to that script as "development mode" and publish your script service.
changing library code should also change your service because its on development mode.
Note that this can easily break your app if you save partial code changes, and makes it hard to test your changed code unless you make all changes and tests in a separate script copy. Making several changes at once in multiple apps script editor files is possible with their "Save all" File menu command (after manually pasting all code changes from your tested copy).

Google Apps Script - origin_mismatch error in Google Site

I'm aware there is a very similir here. But this assumes that you are developing a web app on a html fle uploaded to your own server domain. How do I need to set up the Javascript origins in the API project console when I'm working on a Google Site?
My Google Sites URL looks like https://sites.google.com/a/domain-name.com/site-name/page-name. I can't paste that URL since it says that the origin domain can't containt a path like http://example.com/subdir
Here is the error that I'm getting:
That’s an error.
Error: origin_mismatch
Application: Custom form
You can email the developer of this application at:
my-email#my-domain.com
Request Details immediate=false response_type=token
scope=https://www.googleapis.com/auth/drive.readonly
redirect_uri=postmessage proxy=oauth2relay945850002
state=845063282|0.3789568949
origin=https://n-qaqvqexe4f52wy3jge4j7oquqn5qtfw3gn4sumq-script.googleusercontent.com
include_granted_scopes=true
client_id=498878908299-opvf61qsrpr6en5kvh74esqbmii1nc7u.apps.googleusercontent.com
authuser=0
And this is the example code that I'm using
After wasting lot of hours, adding the URL after ss_domain= to the Authorized JavaScript origins worked for me.
From the error windows click on Request Details, look for ss_domain and copy that uri in the JavaScript Origins.

Unable to serve download links in google apps script

UPDATE: I have found a solution. This doesn't necessarily address every case, so I will leave the question open for a short time in case someone can enlighten me more. I solved it by changing the format of the url: Google Drive allows this format for downloading files:
https://docs.google.com/uc?export=download&id=FILE_ID
So I don't know if this is a problem for other URL's; nor actually exactly why the .getDownloadUrl() doesn't work ... maybe someone can explain. But for now this seems to work in the browsers that I can test ...
I have a simple WebApp script which I run on a Google Site by adding the Apps Script gadget. The gadget runs exactly as the Forms example on:
https://developers.google.com/apps-script/guides/html/communication#forms
The gadget is designed to do the following: when the page is loaded, a form is returned, and the user must enter a license key to get a link to download a product. My code serves the form OK, and gets the form submit OK; and it then validates the key, and if valid, sends back a link to download. All that works fine; and the problem is that no matter what I try to return for the download link, the caja iframe wrapper is preventing the click on the link from actually downloading the file.
My preferred URL to return is in fact via the Drive API: the download file is on the Google Drive, and I get the download link like so:
DriveApp.getFileById(downloadFileId).getDownloadUrl()
But when the returned link is clicked inside that caja iframe generated for the WebApp gadget, nothing happens. I have tried a few other URL formats pointing to that file on the Drive, but nothing is working for a download.
Is this possible?
.getDownloadUrl() method returns a temporary URL that can be used to download the file. This URL is valid only for a short period of time, after which it expires and does not return the file any more - that is probably why the links in your web app do not work. Can't remember exactly how long the URL is valid for, but I think it could be as short as 5 minutes.
Permanent download URL is stored in another file property: webContentLink. However, this property is not (yet) available through Google Apps Drive Service - you must use Advanced Drive Service to access it. You can enable Drive API under Advanced Google services in your script. After it is enabled, you can use it like so:
var file = Drive.Files.get(FILE_ID_HERE);
var dlUrl = file.webContentLink;
This will return the link just like the one you found and posted in your update. An advantage of using the Drive API to get the link, instead of hard-coding it, is that if Google ever changes the format of that URL, your code using Drive API to get the link will continue to work, while hard-coded links will not.
Full Drive Web API reference (what Advanced Drive Service uses) is at https://developers.google.com/drive/v2/reference/.

Google Drive sharing dialog blocked by x-frame-options, sameorigin

I can not get the Share dialog to work for the life of me. I created a test page here: https://super.neutrondrive.com/edit?view=test
What am I doing wrong that I keep getting blocked by xframe?
It looks like the problem was I needed to have the app installed on the user's Google Drive. When using the backend api this is pretty easy to do, but when using the JS API this is not readily apparent.