fix(core)!: Use CSP header to sandbox html webhooks instead of iframe (#18602)

2025-12-17 10:02:05 +00:00 · 2025-08-21 11:39:57 +03:00
parent 60670e1e40
commit 667656e8f3
11 changed files with 66 additions and 626 deletions
--- a/packages/nodes-base/nodes/RespondToWebhook/utils/binary.ts
+++ b/packages/nodes-base/nodes/RespondToWebhook/utils/binary.ts
@@ -1,4 +1,3 @@
-import { isHtmlRenderedContentType, sandboxHtmlResponse, isIframeSandboxDisabled } from 'n8n-core';
 import type { IBinaryData, IDataObject, IN8nHttpResponse } from 'n8n-workflow';
 import { BINARY_ENCODING } from 'n8n-workflow';
 import type { Readable } from 'stream';
@@ -15,30 +14,13 @@ const setContentLength = (responseBody: IN8nHttpResponse | Readable, headers: ID
 * Returns a response body for a binary data and sets the content-type header.
 */
 export const getBinaryResponse = (binaryData: IBinaryData, headers: IDataObject) => {
-	const contentType = headers['content-type'] as string;
-
-	let shouldSandboxResponseData;
-	if (isIframeSandboxDisabled()) {
-		shouldSandboxResponseData = false;
-	} else {
-		shouldSandboxResponseData =
-			isHtmlRenderedContentType(binaryData.mimeType) ||
-			(contentType && isHtmlRenderedContentType(contentType));
-	}
-
 	let responseBody: IN8nHttpResponse | Readable;

 	if (binaryData.id) {
-		responseBody = shouldSandboxResponseData
-			? sandboxHtmlResponse(binaryData.data)
-			: { binaryData };
+		responseBody = { binaryData };
 	} else {
 		const responseBuffer = Buffer.from(binaryData.data, BINARY_ENCODING);
-
-		responseBody = shouldSandboxResponseData
-			? sandboxHtmlResponse(responseBuffer.toString())
-			: responseBuffer;
-
+		responseBody = responseBuffer;
 		setContentLength(responseBody, headers);
 	}