fix(core)!: Use CSP header to sandbox html webhooks instead of iframe (#18602)

packages/@n8n/config/src/configs/security.config.ts

@@ -39,7 +39,10 @@ export class SecurityConfig {
 	@Env('N8N_CONTENT_SECURITY_POLICY_REPORT_ONLY')
 	contentSecurityPolicyReportOnly: boolean = false;
 
-	/** Whether to disable iframe sandboxing for webhooks */
+	/**
+	 * Whether to disable HTML sandboxing for webhooks. The sandboxing mechanism uses CSP headers now,
+	 * but the name is kept for backwards compatibility.
+	 */
 	@Env('N8N_INSECURE_DISABLE_WEBHOOK_IFRAME_SANDBOX')
-	disableIframeSandboxing: boolean = false;
+	disableWebhookHtmlSandboxing: boolean = false;
 }

packages/@n8n/config/test/config.test.ts

@@ -299,7 +299,7 @@ describe('GlobalConfig', () => {
 			daysAbandonedWorkflow: 90,
 			contentSecurityPolicy: '{}',
 			contentSecurityPolicyReportOnly: false,
-			disableIframeSandboxing: false,
+			disableWebhookHtmlSandboxing: false,
 		},
 		executions: {
 			pruneData: true,