fix(core)!: Use CSP header to sandbox html webhooks instead of iframe (#18602)

2025-12-19 11:01:15 +00:00 · 2025-08-21 11:39:57 +03:00
parent 60670e1e40
commit 667656e8f3
11 changed files with 66 additions and 626 deletions
--- a/packages/nodes-base/nodes/RespondToWebhook/test/binary.test.ts
+++ b/packages/nodes-base/nodes/RespondToWebhook/test/binary.test.ts
@@ -1,11 +1,10 @@
-import { sandboxHtmlResponse } from 'n8n-core';
 import type { IDataObject } from 'n8n-workflow';
 import { BINARY_ENCODING } from 'n8n-workflow';

 import { getBinaryResponse } from '../utils/binary';

 describe('getBinaryResponse', () => {
-	it('returns sanitized HTML when binaryData.id is present and mimeType is text/html', () => {
+	it('returns { binaryData } when binaryData.id is present', () => {
 		const binaryData = {
 			id: '123',
 			data: '<h1>Hello</h1>',
@@ -15,7 +14,7 @@ describe('getBinaryResponse', () => {

 		const result = getBinaryResponse(binaryData, headers);

-		expect(result).toBe(sandboxHtmlResponse(binaryData.data));
+		expect(result).toEqual({ binaryData });
 		expect(headers['content-type']).toBe('text/html');
 	});

@@ -33,7 +32,7 @@ describe('getBinaryResponse', () => {
 		expect(headers['content-type']).toBe('application/octet-stream');
 	});

-	it('returns sanitized HTML when binaryData.id is not present and mimeType is text/html', () => {
+	it('returns Buffer when binaryData.id is not present', () => {
 		const binaryData = {
 			data: '<h1>Hello</h1>',
 			mimeType: 'text/html',
@@ -42,9 +41,8 @@ describe('getBinaryResponse', () => {

 		const result = getBinaryResponse(binaryData, headers);

-		expect(result).toBe(
-			sandboxHtmlResponse(Buffer.from(binaryData.data, BINARY_ENCODING).toString()),
-		);
+		expect(Buffer.isBuffer(result)).toBe(true);
+		expect(result.toString()).toBe(Buffer.from(binaryData.data, BINARY_ENCODING).toString());
 		expect(headers['content-type']).toBe('text/html');
 	});