We have already an issue which was closed by mistake Form submission returns 401 Unauthorized after upgrading to v2.2.4 (no Basic Auth enabled) · Issue #24218 · n8n-io/n8n · GitHub and I have created a PR for it, could someone please take a look?
master ← ademariag:fix/form-webhook-sandbox-csp-disable-env-not-respected
opened 09:00AM - 11 Mar 26 UTC
## Summary
Form trigger, form completion, and send-and-wait pages were not chec… king \`isWebhookHtmlSandboxingDisabled()\` before setting the \`Content-Security-Policy: sandbox\` header. This is inconsistent with how the webhook request handler works, which correctly checks the flag.
The CSP \`sandbox\` directive (without \`allow-same-origin\`) blocks access to \`sessionStorage\`, causing 401 Unauthorized errors in environments that store auth tokens in \`sessionStorage\` (e.g. Google Identity-Aware Proxy on Cloud Run).
**Root cause:** Four code paths set the sandbox CSP header unconditionally:
- \`packages/nodes-base/nodes/Form/utils/formCompletionUtils.ts\` — hardcoded CSP constant
- \`packages/nodes-base/nodes/Form/utils/utils.ts\` — form trigger render
- \`packages/nodes-base/utils/sendAndWait/utils.ts\` — send-and-wait form render (2 places)
- \`packages/cli/src/webhooks/waiting-forms.ts\` — waiting form completion render
**Fix:** All four files now call \`isWebhookHtmlSandboxingDisabled()\` before setting the header, matching the existing pattern in \`webhook-request-handler.ts\`. \`formCompletionUtils.ts\` also had the sandbox string hardcoded instead of using the shared \`getWebhookSandboxCSP()\` utility — that's fixed too.
**To test:** Set \`N8N_INSECURE_DISABLE_WEBHOOK_IFRAME_SANDBOX=true\` and verify form submission no longer sets a CSP header, resolving sessionStorage access errors in sandboxed iframe/proxy environments.
## Related Linear tickets, Github issues, and Community forum posts
fixes https://github.com/n8n-io/n8n/issues/24218
## Review / Merge checklist
- [x] PR title and summary are descriptive. ([conventions](../blob/master/.github/pull_request_title_conventions.md))
- [x] [Docs updated](https://github.com/n8n-io/n8n-docs) or follow-up ticket created. — No docs change needed: \`N8N_INSECURE_DISABLE_WEBHOOK_IFRAME_SANDBOX\` already exists and is documented; this PR fixes a bug where forms were not respecting it.
- [x] Tests included.
- [ ] PR Labeled with \`release/backport\` (if the PR is an urgent fix that needs to be backported)
This is preventing n8n to be used behing Identity Aware Proxies like google IAP
Hi @ademariag !
I saw that the issue workflow is pretty much finalized, and it looks like they’re only waiting for maintainer approval now. I believe the PR is likely on track for approval, but at this point, it probably just needs to go through their internal process. Have you already updated to the new 2.14 version?