this behavior should be optional.
I completely understand why you decide to add this constraint to avoid xss and other orrible things but is very damaging in every workflows that already return text or other stuff like json.
Edit:
After this post I discover that if I pick return json it does not even require to return json formatted stuff so every reason you decide to add this constraint can be baypassed switching to return json type.
I absolutely se no point in this change and from a security point of view is not even good.
What is the error message (if any)?
They change a component without any backwords compatibility
Yeah from their side at least they document it and announce it.
I’m still here yelling at the cloud.
The implementation they did was poor because they didn’t actually solve the issue since I can still shoot in my foot using json fields.
I think that’s perfectly legit. They’d go on thinking everything is ok if nobody yelled. It’s probably something the devs just didn’t consider. I’ve lost count of how many times something I’ve written has been nuked by a change that was done in the name of “security.” I’m pretty sure to get a job in data security you must prove that you’ve installed a double-walled steel door with deadbolts, padlocks, cameras w/ 24/7 monitoring, and an access approval policy on the bathrooms inside your own house.
Haha yeah, I’ll keep yelling as long as it takes. I just wish the fix had actually closed the loophole. Feels like they put a sign up that says “don’t shoot yourself” but left the gun loaded on the table. Appreciate the backup though, maybe enough noise will get it properly fixed.
Based on the last release note, there is a fix for this?
1.104.2 (2025-07-31)
Bug Fixes
Webhook Node: Don't wrap response in an iframe if it doesn't have HTML
Features
Env to disable webhook response iframe sandboxing (#17851) (c9e291a)
We removed the iframe wrapper from responses that don’t contain html / JavaScript so an update should resolve it.
The other issue with html being wrapped in an iframe which has an env option to remove is likely unrelated looking at your description, if you do look to add the env option though make sure you fully understand the risks.
StocktonF
A webhook might be hosted in the same domain as the main n8n instance rather than on a separate subdomain. This means it can access the local settings and cookies of the main application. If I install or copy a malicious workflow, and that workflow opens the webhook while I have an active session, it could easily steal my cookies and session data. As a result, I could lose full access to my n8n instance.
Since this tool is also used by non-expert developers, the use of an iframe helps block access to the main website context and protects users from accidentally compromising their own setup.
