allow-same-origin problem in latest version(1.112.6)

[joweste]

Bug Description

After I just update to n8n@1.112.6 version my html reponse from webhook stops to work.

I use localstorage in my html code.

When the html load in browser, I get:
"Uncaught SecurityError: Failed to read the 'localStorage' property from 'Window': The document is sandboxed and lacks the 'allow-same-origin' flag."

Trying solve the problem I tried to set Content-Security-Policy to allow-same-origin in "Response Headers" of "Responde to Webhook" node, but no look. The problem continues.

To Reproduce

As mentioned on previous step

Expected behavior

localstorage should be work

Debug Info

Operating System

Ubuntu 24.02

n8n Version

1.112.6

Node.js Version

22.1t6.0

Database

PostgreSQL

Execution mode

main (default)

Hosting

self hosted

[Joffcom]

Hey @joweste,

Thank you for reaching out! We’ve received your issue and are looking into it. To help us track this internally, we’ve created a Linear ticket with the reference: "GHC-4670".

We’ll keep you updated as we make progress, but if you have any additional details or context to share, feel free to add them here - it’s always helpful!

Thanks for your patience and for bringing this to our attention.

[Joffcom]

Hey @joweste,

Does the webhook return html or any code?

[joweste]

Hey @joweste,

Does the webhook return html or any code?

Yes it returns my html. It has js code. But it shows the error because header is sandboxed without allow-same-origin

The error happends in localstorage when It tries execute it:

function toggleTheme() {
          if (htmlElement.classList.contains("dark")) {
            htmlElement.classList.remove("dark");
            localStorage.setItem("theme", "light");
          } else {
            htmlElement.classList.add("dark");
            localStorage.setItem("theme", "dark");
          }
}

here is the response header in chrome debugger:

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Content-Security-Policy: sandbox allow-downloads allow-forms allow-modals allow-orientation-lock allow-pointer-lock allow-popups allow-presentation allow-scripts allow-top-navigation allow-top-navigation-by-user-activation allow-top-navigation-to-custom-protocols
ETag: W/"43a0-ct6ld6DaYBhK441Xt3h8oz6Scjw"
Vary: Accept-Encoding
Content-Encoding: br
Date: Fri, 26 Sep 2025 14:30:39 GMT
Connection: keep-alive
Keep-Alive: timeout=5
Transfer-Encoding: chunked

Here is my html:

login.html

[shyrahnama]

Had the same issue using @n8n/chat (https://www.npmjs.com/package/@n8n/chat) .. only way around it was to turn off loadPreviousSession when instantiating the chat. Did not have the issue with the same workflow on an earlier version of n8n.

[hadrien-toma]

I have same issue with the following code:

HTML

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>Chat</title>
    <style>
        body {
            margin: 0;
            padding: 0;
        }
        .container {
            height: 100vh;
        }
    </style>
</head>
<body>
    <link href="https://cdn.jsdelivr.net/npm/@n8n/chat/dist/style.css" rel="stylesheet">
    <div class="container"></div>
    <script type="module">
        import { createChat } from 'https://cdn.jsdelivr.net/npm/@n8n/chat/dist/chat.bundle.es.js';
        createChat({
            webhookUrl: "https://***.app.n8n.cloud/webhook/***/chat",
            target: '.container',
            mode: 'fullscreen'
        });
    </script>
</body>
</html>

Error in browser console

DOMException: Window.localStorage getter: Forbidden in a sandboxed document without the 'allow-same-origin' flag.
    a https://cdn.jsdelivr.net/npm/@n8n/chat/dist/chat.bundle.es.js:5095
    l https://cdn.jsdelivr.net/npm/@n8n/chat/dist/chat.bundle.es.js:27947
    setup https://cdn.jsdelivr.net/npm/@n8n/chat/dist/chat.bundle.es.js:27955
    sr https://cdn.jsdelivr.net/npm/@n8n/chat/dist/chat.bundle.es.js:1803
    ms https://cdn.jsdelivr.net/npm/@n8n/chat/dist/chat.bundle.es.js:1104
    xn https://cdn.jsdelivr.net/npm/@n8n/chat/dist/chat.bundle.es.js:1111
    __weh https://cdn.jsdelivr.net/npm/@n8n/chat/dist/chat.bundle.es.js:1796
    A1 https://cdn.jsdelivr.net/npm/@n8n/chat/dist/chat.bundle.es.js:1205
    dt https://cdn.jsdelivr.net/npm/@n8n/chat/dist/chat.bundle.es.js:3344
    mount https://cdn.jsdelivr.net/npm/@n8n/chat/dist/chat.bundle.es.js:2301
    mount https://cdn.jsdelivr.net/npm/@n8n/chat/dist/chat.bundle.es.js:4576
    S4e https://cdn.jsdelivr.net/npm/@n8n/chat/dist/chat.bundle.es.js:28029
    <anonymous> https://***.app.n8n.cloud/webhook/***:22

n8n version

• 1.112.6