fix(core)!: Use CSP header to sandbox html webhooks instead of iframe (#18602)

2025-12-17 01:56:46 +00:00 · 2025-08-21 11:39:57 +03:00
parent 60670e1e40
commit 667656e8f3
11 changed files with 66 additions and 626 deletions
--- a/packages/cli/BREAKING-CHANGES.md
+++ b/packages/cli/BREAKING-CHANGES.md
@@ -2,6 +2,16 @@

 This list shows all the versions which include breaking changes and how to upgrade.

+# 1.109.0
+
+### What changed?
+
+Webhook HTML responses were sandboxed to an iframe starting from 1.103.1 due to security. The sandboxing mechanism is now changed to use `Content-Security-Policy` header instead of an `iframe`. The security guarantees stay the same, but the mechanism is less breaking.
+
+### When is action necessary?
+
+If you have workflows that return HTML responses from `Webhook Trigger` node or `Respond to Webhook` node.
+
 # 1.107.0

 ## What changed?