I'd like to perform a check on the referring URL of a (standalone, anonymous) Google Apps Script, and take some action if the referring URL is one of two known "good" URLs.
Is there a way to do this? The best I've come up with so far involves client-side code and unfortunately document.referrer always begins https://script.google.com, not the address of the page with the link to the Google Apps script:
Code.gs
function doGet() {
var t = HtmlService.createTemplateFromFile('index');
t.heading = "My heading"
return t.evaluate().setSandboxMode(HtmlService.SandboxMode.IFRAME)
}
function validReferrer(ref) {
Logger.log("Referrer is: "+ref)
if (ref.indexOf('my-good-url.com') > - 1 ) {
return true
}
else
return false
}
index.html
<div>
<script>
function onSuccess(a) {
alert(a);
}
// referrer always begins https://script.google.com
var ref = document.referrer || "doesn't have a referrer";
google.script.run
.withSuccessHandler(onSuccess)
.validReferrer(ref)
</script>
<h1><?= heading ?></h1>
</div>
Ideally I'd like to run the check purely on the server side. As stated on this page "for security reasons, content returned by the Content service isn't served from script.google.com, but instead redirected to a one-time URL at script.googleusercontent.com" — and this is certainly confirmed by my findings. Interestingly when I change the sandbox mode to NATIVE, a referrer is not returned at all. I guess caja is filtering my client-side code.
The real referring page begins http:// (confirmed in my browser's web debugger console by issuing document.referrer).
