Why Does Google Apps Script Web App Enable Fullscreen in Google Sites — Even Without oEmbed? 

✅ TL;DR:

When you paste a Google Apps Script Web App link (e.g., https://script.google.com/.../exec) into Google Sites, it automatically embeds, and fullscreen becomes available — even if:

• It’s not an oEmbed provider
  
  

• You didn’t write <iframe> code
  
  

• The iframe content normally wouldn’t support fullscreen
  
  

This happens because of how Google Sites handles "Google-native" domains and content security policies (CSP).

🧠 Here’s What’s Really Going On:

1. Google Trusts Its Own Domains

When you paste a link to:

• A Google Apps Script Web App
  
  

• A Google Doc, Sheet, or Slide
  
  

• A Google-hosted service
  
  

Google Sites recognizes it as a "trusted" Google resource — and it allows it to be embedded using a secure iframe with elevated permissions.

🔒 These permissions often include:

• allow="fullscreen"
  
  

• allow-scripts
  
  

• allow-same-origin
  
  

This is why even non-oEmbed links like Apps Script web apps behave more like rich embeds.

2. Apps Script Web Apps Are “Embeddable by Design”

When you deploy an Apps Script as a Web App, you have these settings:

• Execute the app as: Me (the developer)
  
  

• Who has access: Anyone (or Anyone with the link)
  
  

If those settings are public or semi-public, the generated URL:

bash

CopyEdit

https://script.google.com/macros/s/AKfycb.../exec

is treated by Google Sites as embeddable — and it's wrapped in a proxy iframe that allows fullscreen interaction.

✅ Unlike some external services, Google doesn’t block fullscreen for its own iframe responses (unless you specifically code against it).

3. Why Fullscreen Works Even If iframe Normally Wouldn't

Even though your Apps Script page might not include:

html

CopyEdit

<iframe allowfullscreen></iframe>

Google Sites injects it for you when embedding the script.google.com link, because:

• It knows the content is under its own secure control.
  
  

• It trusts the CSP headers and sandbox flags from Google servers.
  
  

• The embed uses HTML5-compliant wrappers with allowfullscreen.
  
  

So fullscreen becomes available on the iframe regardless of the code in your actual web app.

🤖 What About Other Non-oEmbed Links?

Paste a link like:

• https://example.com/page.html → ❌ Won’t auto-embed
  
  

• https://somecoolsite.com/widget → ❌ Won’t show fullscreen
  
  

• https://script.google.com/.../exec → ✅ Embeds with fullscreen
  
  

This shows that the auto-fullscreen behavior is domain-based, not oEmbed-based.

⚠️ Warnings

🔴 Do NOT abuse this to embed misleading or age-restricted content. While Apps Script gives you flexibility, violating Google’s Terms of Service (e.g., using a Web App to bypass content restrictions or impersonate services) can result in:

• Suspension of your script
  
  

• Disabling of your Google Site
  
  

• Google account warnings or terminations
  
  

Always be honest about what your script does if embedded publicly.

📌 Summary

Feature

oEmbed (e.g., Vimeo)

Apps Script Web Apps

Requires special metadata?

✅ Yes

❌ No

Allows fullscreen?

✅ Yes (if coded)

✅ Yes (auto-added)

Works via paste-only?

✅ Yes

✅ Yes

Custom permissions

❌ Limited

✅ Flexible via deploy settings

Google Sites trusted?

⚠️ External

✅ Fully trusted

✅ Final Answer:

Google Apps Script Web Apps enable fullscreen in Google Sites automatically because:

• Google Sites trusts the script.google.com domain
  
  

• Google injects fullscreen permissions even without oEmbed
  
  

• The Apps Script deploy options make it embeddable by design