Resumable_Upload_For_WebApps
Resumable_Upload_For_WebApps copied to clipboard
tanaikech
Concern
Is it ok to send the token to the client? Anyone can access your Drive with that token.
At the condition of Web Apps in this sample, only owner can use this script. So other users cannot see the access token. You can see the detail information of the condition for Web Apps at here.
When Web Apps is deployed, if "Execute the app as:" and "Who has access to the app:" are "Me" and "Only myself", respectively, other users cannot access to the deployed Web Apps. If they are deployed as "Anyone, even anonymous" and "Anyone", other users can access to the deployed Web Apps. Please be careful the setting condition, when you use this.
I do not understand. So is it safe to deploy with "who can access" to anyone? In that case other can get the OAuthToken?
Thank you for your comment. And, I have to apologize for my poor English skill. Unfortunately, I cannot understand So is it safe to deploy with "who can access" to anyone? In that case other can get the OAuthToken?. Can I ask you about the detail of your question?
in the comment from May 2018 you said that we have to be careful. I want to have a GAS web application that anybody can upload files for me. So I have to deploy as "anyone". So I guess someone with good javascript knowledge could get the OAuth token. Can they the OAuth token somehow misuse?
Thank you for replying. From your replying, in your situation, is this post useful? https://github.com/tanaikech/Safe-Uploading-for-Google-Drive-by-HTML-in-External-Server-using-Google-Apps-Script