From 08f4b5283b5bee902dbcabc059fe11600898e925 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Dimitri=20Lavren=C3=BCk?= <dimitri.lavrenuek@n8n.io>
Date: Wed, 25 Feb 2026 14:56:52 +0100
Subject: [PATCH 1/6] fix: Improve chat message button handling

---
 .../src/__tests__/MessageWithButtons.spec.ts  | 78 +++++++++++++++++++
 .../src/components/MessageWithButtons.vue     | 13 ++++
 2 files changed, 91 insertions(+)
 create mode 100644 packages/frontend/@n8n/chat/src/__tests__/MessageWithButtons.spec.ts

diff --git a/packages/frontend/@n8n/chat/src/__tests__/MessageWithButtons.spec.ts b/packages/frontend/@n8n/chat/src/__tests__/MessageWithButtons.spec.ts
new file mode 100644
index 0000000000000..c9f2e36635a7d
--- /dev/null
+++ b/packages/frontend/@n8n/chat/src/__tests__/MessageWithButtons.spec.ts
@@ -0,0 +1,78 @@
+import { mount } from '@vue/test-utils';
+import { describe, it, expect, vi, beforeEach, afterEach } from 'vitest';
+
+import MessageWithButtons from '../components/MessageWithButtons.vue';
+import { waitFor } from '@testing-library/vue';
+
+vi.mock('../components/MarkdownRenderer.vue', () => ({
+	default: {
+		name: 'MarkdownRenderer',
+		template: '<div>{{ text }}</div>',
+		props: ['text'],
+	},
+}));
+
+const buttons = [
+	{ text: 'Confirm', link: '/api/confirm', type: 'primary' as const },
+	{ text: 'Cancel', link: '/api/cancel', type: 'secondary' as const },
+];
+
+describe('MessageWithButtons', () => {
+	beforeEach(() => {
+		vi.stubGlobal('fetch', vi.fn());
+		Object.defineProperty(window, 'location', {
+			value: new URL('http://localhost:5678/chat'),
+			writable: true,
+		});
+	});
+
+	afterEach(() => {
+		vi.restoreAllMocks();
+	});
+
+	it('fetches when the link is on the same origin', async () => {
+		vi.mocked(fetch).mockResolvedValue({ ok: true } as Response);
+
+		const wrapper = mount(MessageWithButtons, {
+			props: { text: 'Please confirm', buttons },
+		});
+
+		await wrapper.findAll('button')[0].trigger('click');
+
+		await waitFor(() => expect(fetch).toHaveBeenCalledWith('/api/confirm'));
+	});
+
+	it('does not fetch when the link points to a different origin', async () => {
+		vi.mocked(fetch).mockResolvedValue({ ok: true } as Response);
+
+		const externalButtons = [
+			{ text: 'Go', link: 'https://other-domain/approve', type: 'primary' as const },
+		];
+
+		const wrapper = mount(MessageWithButtons, {
+			props: { text: 'Click me', buttons: externalButtons },
+		});
+
+		await wrapper.find('button').trigger('click');
+		await new Promise((r) => setTimeout(r, 0));
+
+		expect(fetch).not.toHaveBeenCalled();
+	});
+
+	it('does not fetch for an absolute URL on a different domain even with same path', async () => {
+		vi.mocked(fetch).mockResolvedValue({ ok: true } as Response);
+
+		const externalButtons = [
+			{ text: 'Go', link: 'http://other-host:5678/api/confirm', type: 'primary' as const },
+		];
+
+		const wrapper = mount(MessageWithButtons, {
+			props: { text: 'Click me', buttons: externalButtons },
+		});
+
+		await wrapper.find('button').trigger('click');
+		await new Promise((r) => setTimeout(r, 0));
+
+		expect(fetch).not.toHaveBeenCalled();
+	});
+});
diff --git a/packages/frontend/@n8n/chat/src/components/MessageWithButtons.vue b/packages/frontend/@n8n/chat/src/components/MessageWithButtons.vue
index c47a990cbe45a..755b1228d3113 100644
--- a/packages/frontend/@n8n/chat/src/components/MessageWithButtons.vue
+++ b/packages/frontend/@n8n/chat/src/components/MessageWithButtons.vue
@@ -15,11 +15,24 @@ defineProps<{
 
 const clickedButtonIndex = ref<number | null>(null);
 
+const isSameDomain = (link: string): boolean => {
+	try {
+		const url = new URL(link, window.location.href);
+		return url.origin === window.location.origin;
+	} catch {
+		return false;
+	}
+};
+
 const onClick = async (link: string, index: number) => {
 	if (clickedButtonIndex.value !== null) {
 		return;
 	}
 
+	if (!isSameDomain(link)) {
+		return;
+	}
+
 	const response = await fetch(link);
 	if (response.ok) {
 		clickedButtonIndex.value = index;

From 114f4c969204c2d4e15158ec3b4b75f01bcb53a5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Dimitri=20Lavren=C3=BCk?= <dimitri.lavrenuek@n8n.io>
Date: Wed, 25 Feb 2026 15:13:34 +0100
Subject: [PATCH 2/6] update functionality

---
 .../src/__tests__/MessageWithButtons.spec.ts  | 35 ++++++++++++-------
 .../src/components/MessageWithButtons.vue     |  9 +++--
 2 files changed, 26 insertions(+), 18 deletions(-)

diff --git a/packages/frontend/@n8n/chat/src/__tests__/MessageWithButtons.spec.ts b/packages/frontend/@n8n/chat/src/__tests__/MessageWithButtons.spec.ts
index c9f2e36635a7d..d666e14025706 100644
--- a/packages/frontend/@n8n/chat/src/__tests__/MessageWithButtons.spec.ts
+++ b/packages/frontend/@n8n/chat/src/__tests__/MessageWithButtons.spec.ts
@@ -30,21 +30,21 @@ describe('MessageWithButtons', () => {
 		vi.restoreAllMocks();
 	});
 
-	it('fetches when the link is on the same origin', async () => {
+	it('renders and fetches when the link is on the same origin', async () => {
 		vi.mocked(fetch).mockResolvedValue({ ok: true } as Response);
 
 		const wrapper = mount(MessageWithButtons, {
 			props: { text: 'Please confirm', buttons },
 		});
 
+		expect(wrapper.findAll('button')).toHaveLength(2);
+
 		await wrapper.findAll('button')[0].trigger('click');
 
 		await waitFor(() => expect(fetch).toHaveBeenCalledWith('/api/confirm'));
 	});
 
-	it('does not fetch when the link points to a different origin', async () => {
-		vi.mocked(fetch).mockResolvedValue({ ok: true } as Response);
-
+	it('does not render a button when the link points to a different origin', () => {
 		const externalButtons = [
 			{ text: 'Go', link: 'https://other-domain/approve', type: 'primary' as const },
 		];
@@ -53,15 +53,11 @@ describe('MessageWithButtons', () => {
 			props: { text: 'Click me', buttons: externalButtons },
 		});
 
-		await wrapper.find('button').trigger('click');
-		await new Promise((r) => setTimeout(r, 0));
-
+		expect(wrapper.find('button').exists()).toBe(false);
 		expect(fetch).not.toHaveBeenCalled();
 	});
 
-	it('does not fetch for an absolute URL on a different domain even with same path', async () => {
-		vi.mocked(fetch).mockResolvedValue({ ok: true } as Response);
-
+	it('does not render a button for an absolute URL on a different host with the same port', () => {
 		const externalButtons = [
 			{ text: 'Go', link: 'http://other-host:5678/api/confirm', type: 'primary' as const },
 		];
@@ -70,9 +66,22 @@ describe('MessageWithButtons', () => {
 			props: { text: 'Click me', buttons: externalButtons },
 		});
 
-		await wrapper.find('button').trigger('click');
-		await new Promise((r) => setTimeout(r, 0));
-
+		expect(wrapper.find('button').exists()).toBe(false);
 		expect(fetch).not.toHaveBeenCalled();
 	});
+
+	it('renders only same-origin buttons when the list contains mixed URLs', () => {
+		const mixedButtons = [
+			{ text: 'Safe', link: '/api/confirm', type: 'primary' as const },
+			{ text: 'Unsafe', link: 'https://evil.example.com/steal', type: 'secondary' as const },
+		];
+
+		const wrapper = mount(MessageWithButtons, {
+			props: { text: 'Choose', buttons: mixedButtons },
+		});
+
+		const rendered = wrapper.findAll('button');
+		expect(rendered).toHaveLength(1);
+		expect(rendered[0].text()).toBe('Safe');
+	});
 });
diff --git a/packages/frontend/@n8n/chat/src/components/MessageWithButtons.vue b/packages/frontend/@n8n/chat/src/components/MessageWithButtons.vue
index 755b1228d3113..6dc54b7334c50 100644
--- a/packages/frontend/@n8n/chat/src/components/MessageWithButtons.vue
+++ b/packages/frontend/@n8n/chat/src/components/MessageWithButtons.vue
@@ -29,10 +29,6 @@ const onClick = async (link: string, index: number) => {
 		return;
 	}
 
-	if (!isSameDomain(link)) {
-		return;
-	}
-
 	const response = await fetch(link);
 	if (response.ok) {
 		clickedButtonIndex.value = index;
@@ -46,7 +42,10 @@ const onClick = async (link: string, index: number) => {
 		<div :class="$style.buttons">
 			<template v-for="(button, index) in buttons" :key="button.text">
 				<Button
-					v-if="clickedButtonIndex === null || index === clickedButtonIndex"
+					v-if="
+						isSameDomain(button.link) &&
+						(clickedButtonIndex === null || index === clickedButtonIndex)
+					"
 					element="button"
 					:type="button.type"
 					:disabled="index === clickedButtonIndex"

From 0745e0375958233475ab6bb2b9930de35a47c541 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Dimitri=20Lavren=C3=BCk?= <dimitri.lavrenuek@n8n.io>
Date: Wed, 25 Feb 2026 16:21:15 +0100
Subject: [PATCH 3/6] include configured origin in check

---
 .../src/__tests__/MessageWithButtons.spec.ts  | 63 +++++++++++++++----
 .../src/components/MessageWithButtons.vue     |  9 ++-
 2 files changed, 57 insertions(+), 15 deletions(-)

diff --git a/packages/frontend/@n8n/chat/src/__tests__/MessageWithButtons.spec.ts b/packages/frontend/@n8n/chat/src/__tests__/MessageWithButtons.spec.ts
index d666e14025706..a8cff73b369b3 100644
--- a/packages/frontend/@n8n/chat/src/__tests__/MessageWithButtons.spec.ts
+++ b/packages/frontend/@n8n/chat/src/__tests__/MessageWithButtons.spec.ts
@@ -1,8 +1,8 @@
+import { waitFor } from '@testing-library/vue';
 import { mount } from '@vue/test-utils';
 import { describe, it, expect, vi, beforeEach, afterEach } from 'vitest';
 
 import MessageWithButtons from '../components/MessageWithButtons.vue';
-import { waitFor } from '@testing-library/vue';
 
 vi.mock('../components/MarkdownRenderer.vue', () => ({
 	default: {
@@ -12,7 +12,18 @@ vi.mock('../components/MarkdownRenderer.vue', () => ({
 	},
 }));
 
-const buttons = [
+vi.mock('@n8n/chat/composables', () => ({
+	useOptions: () => ({
+		options: {
+			webhookUrl: 'https://webhook.example.com/webhook/123/chat',
+		},
+	}),
+}));
+
+const editorOrigin = 'http://localhost:5678';
+const webhookOrigin = 'https://webhook.example.com';
+
+const sameDomainButtons = [
 	{ text: 'Confirm', link: '/api/confirm', type: 'primary' as const },
 	{ text: 'Cancel', link: '/api/cancel', type: 'secondary' as const },
 ];
@@ -21,7 +32,7 @@ describe('MessageWithButtons', () => {
 	beforeEach(() => {
 		vi.stubGlobal('fetch', vi.fn());
 		Object.defineProperty(window, 'location', {
-			value: new URL('http://localhost:5678/chat'),
+			value: new URL(`${editorOrigin}/chat`),
 			writable: true,
 		});
 	});
@@ -30,11 +41,11 @@ describe('MessageWithButtons', () => {
 		vi.restoreAllMocks();
 	});
 
-	it('renders and fetches when the link is on the same origin', async () => {
+	it('renders and fetches when the link is on the same origin as the editor', async () => {
 		vi.mocked(fetch).mockResolvedValue({ ok: true } as Response);
 
 		const wrapper = mount(MessageWithButtons, {
-			props: { text: 'Please confirm', buttons },
+			props: { text: 'Please confirm', buttons: sameDomainButtons },
 		});
 
 		expect(wrapper.findAll('button')).toHaveLength(2);
@@ -44,9 +55,31 @@ describe('MessageWithButtons', () => {
 		await waitFor(() => expect(fetch).toHaveBeenCalledWith('/api/confirm'));
 	});
 
-	it('does not render a button when the link points to a different origin', () => {
+	it('renders and fetches when the link is on the configured webhook origin', async () => {
+		vi.mocked(fetch).mockResolvedValue({ ok: true } as Response);
+
+		const webhookButtons = [
+			{
+				text: 'Approve',
+				link: `${webhookOrigin}/webhook/123/approve`,
+				type: 'primary' as const,
+			},
+		];
+
+		const wrapper = mount(MessageWithButtons, {
+			props: { text: 'Please approve', buttons: webhookButtons },
+		});
+
+		expect(wrapper.find('button').exists()).toBe(true);
+
+		await wrapper.find('button').trigger('click');
+
+		await waitFor(() => expect(fetch).toHaveBeenCalledWith(`${webhookOrigin}/webhook/123/approve`));
+	});
+
+	it('does not render a button when the link points to an unrecognized origin', () => {
 		const externalButtons = [
-			{ text: 'Go', link: 'https://other-domain/approve', type: 'primary' as const },
+			{ text: 'Go', link: 'https://broken-link.com/approve', type: 'primary' as const },
 		];
 
 		const wrapper = mount(MessageWithButtons, {
@@ -70,10 +103,15 @@ describe('MessageWithButtons', () => {
 		expect(fetch).not.toHaveBeenCalled();
 	});
 
-	it('renders only same-origin buttons when the list contains mixed URLs', () => {
+	it('renders only valid-origin buttons when the list contains mixed URLs', () => {
 		const mixedButtons = [
-			{ text: 'Safe', link: '/api/confirm', type: 'primary' as const },
-			{ text: 'Unsafe', link: 'https://evil.example.com/steal', type: 'secondary' as const },
+			{ text: 'Editor', link: '/api/confirm', type: 'primary' as const },
+			{
+				text: 'Webhook',
+				link: `${webhookOrigin}/webhook/123/approve`,
+				type: 'secondary' as const,
+			},
+			{ text: 'Other', link: 'http://broken-url/approve', type: 'secondary' as const },
 		];
 
 		const wrapper = mount(MessageWithButtons, {
@@ -81,7 +119,8 @@ describe('MessageWithButtons', () => {
 		});
 
 		const rendered = wrapper.findAll('button');
-		expect(rendered).toHaveLength(1);
-		expect(rendered[0].text()).toBe('Safe');
+		expect(rendered).toHaveLength(2);
+		expect(rendered[0].text()).toBe('Editor');
+		expect(rendered[1].text()).toBe('Webhook');
 	});
 });
diff --git a/packages/frontend/@n8n/chat/src/components/MessageWithButtons.vue b/packages/frontend/@n8n/chat/src/components/MessageWithButtons.vue
index 6dc54b7334c50..fb068bca5eb7a 100644
--- a/packages/frontend/@n8n/chat/src/components/MessageWithButtons.vue
+++ b/packages/frontend/@n8n/chat/src/components/MessageWithButtons.vue
@@ -1,4 +1,5 @@
 <script setup lang="ts">
+import { useOptions } from '@n8n/chat/composables';
 import { ref } from 'vue';
 
 import Button from './Button.vue';
@@ -13,12 +14,14 @@ defineProps<{
 	}>;
 }>();
 
+const chatOptions = useOptions();
 const clickedButtonIndex = ref<number | null>(null);
 
-const isSameDomain = (link: string): boolean => {
+const isValidOrigin = (link: string): boolean => {
 	try {
+		const validOrigins = [window.location.origin, new URL(chatOptions.options.webhookUrl).origin];
 		const url = new URL(link, window.location.href);
-		return url.origin === window.location.origin;
+		return validOrigins.includes(url.origin);
 	} catch {
 		return false;
 	}
@@ -43,7 +46,7 @@ const onClick = async (link: string, index: number) => {
 			<template v-for="(button, index) in buttons" :key="button.text">
 				<Button
 					v-if="
-						isSameDomain(button.link) &&
+						isValidOrigin(button.link) &&
 						(clickedButtonIndex === null || index === clickedButtonIndex)
 					"
 					element="button"

From 10a0fc03fe404fbb18a1613838821c901d5eb16a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Dimitri=20Lavren=C3=BCk?= <dimitri.lavrenuek@n8n.io>
Date: Wed, 25 Feb 2026 16:32:34 +0100
Subject: [PATCH 4/6] fixed linting errors

---
 .../frontend/@n8n/chat/src/components/MessageWithButtons.vue   | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/packages/frontend/@n8n/chat/src/components/MessageWithButtons.vue b/packages/frontend/@n8n/chat/src/components/MessageWithButtons.vue
index fb068bca5eb7a..420da19b6b3e6 100644
--- a/packages/frontend/@n8n/chat/src/components/MessageWithButtons.vue
+++ b/packages/frontend/@n8n/chat/src/components/MessageWithButtons.vue
@@ -1,7 +1,8 @@
 <script setup lang="ts">
-import { useOptions } from '@n8n/chat/composables';
 import { ref } from 'vue';
 
+import { useOptions } from '@n8n/chat/composables';
+
 import Button from './Button.vue';
 import MarkdownRenderer from './MarkdownRenderer.vue';
 

From 41ad9fb2f7d8df32c573487fbd98159fa1f89cec Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Dimitri=20Lavren=C3=BCk?= <dimitri.lavrenuek@n8n.io>
Date: Wed, 25 Feb 2026 16:55:29 +0100
Subject: [PATCH 5/6] update tests

---
 .../src/__tests__/MessageWithButtons.spec.ts  | 20 +++++++------------
 .../src/components/MessageWithButtons.vue     |  4 ++--
 2 files changed, 9 insertions(+), 15 deletions(-)

diff --git a/packages/frontend/@n8n/chat/src/__tests__/MessageWithButtons.spec.ts b/packages/frontend/@n8n/chat/src/__tests__/MessageWithButtons.spec.ts
index a8cff73b369b3..f39ea7c8631e3 100644
--- a/packages/frontend/@n8n/chat/src/__tests__/MessageWithButtons.spec.ts
+++ b/packages/frontend/@n8n/chat/src/__tests__/MessageWithButtons.spec.ts
@@ -23,7 +23,7 @@ vi.mock('@n8n/chat/composables', () => ({
 const editorOrigin = 'http://localhost:5678';
 const webhookOrigin = 'https://webhook.example.com';
 
-const sameDomainButtons = [
+const relativeUrlButtons = [
 	{ text: 'Confirm', link: '/api/confirm', type: 'primary' as const },
 	{ text: 'Cancel', link: '/api/cancel', type: 'secondary' as const },
 ];
@@ -41,18 +41,13 @@ describe('MessageWithButtons', () => {
 		vi.restoreAllMocks();
 	});
 
-	it('renders and fetches when the link is on the same origin as the editor', async () => {
-		vi.mocked(fetch).mockResolvedValue({ ok: true } as Response);
-
+	it('does not render buttons whose links do not match the configured webhook origin', () => {
 		const wrapper = mount(MessageWithButtons, {
-			props: { text: 'Please confirm', buttons: sameDomainButtons },
+			props: { text: 'Please confirm', buttons: relativeUrlButtons },
 		});
 
-		expect(wrapper.findAll('button')).toHaveLength(2);
-
-		await wrapper.findAll('button')[0].trigger('click');
-
-		await waitFor(() => expect(fetch).toHaveBeenCalledWith('/api/confirm'));
+		expect(wrapper.findAll('button')).toHaveLength(0);
+		expect(fetch).not.toHaveBeenCalled();
 	});
 
 	it('renders and fetches when the link is on the configured webhook origin', async () => {
@@ -119,8 +114,7 @@ describe('MessageWithButtons', () => {
 		});
 
 		const rendered = wrapper.findAll('button');
-		expect(rendered).toHaveLength(2);
-		expect(rendered[0].text()).toBe('Editor');
-		expect(rendered[1].text()).toBe('Webhook');
+		expect(rendered).toHaveLength(1);
+		expect(rendered[0].text()).toBe('Webhook');
 	});
 });
diff --git a/packages/frontend/@n8n/chat/src/components/MessageWithButtons.vue b/packages/frontend/@n8n/chat/src/components/MessageWithButtons.vue
index 420da19b6b3e6..e747efff115cc 100644
--- a/packages/frontend/@n8n/chat/src/components/MessageWithButtons.vue
+++ b/packages/frontend/@n8n/chat/src/components/MessageWithButtons.vue
@@ -20,9 +20,9 @@ const clickedButtonIndex = ref<number | null>(null);
 
 const isValidOrigin = (link: string): boolean => {
 	try {
-		const validOrigins = [window.location.origin, new URL(chatOptions.options.webhookUrl).origin];
+		const validOrigin = new URL(chatOptions.options.webhookUrl).origin;
 		const url = new URL(link, window.location.href);
-		return validOrigins.includes(url.origin);
+		return url.origin === validOrigin;
 	} catch {
 		return false;
 	}

From 57a0604b0870e72b280defb020af61d7c14742f5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Dimitri=20Lavren=C3=BCk?= <dimitri.lavrenuek@n8n.io>
Date: Wed, 25 Feb 2026 17:37:20 +0100
Subject: [PATCH 6/6] code improvements

---
 .../@n8n/chat/src/components/MessageWithButtons.vue  | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/packages/frontend/@n8n/chat/src/components/MessageWithButtons.vue b/packages/frontend/@n8n/chat/src/components/MessageWithButtons.vue
index e747efff115cc..ea1c07bcac055 100644
--- a/packages/frontend/@n8n/chat/src/components/MessageWithButtons.vue
+++ b/packages/frontend/@n8n/chat/src/components/MessageWithButtons.vue
@@ -18,11 +18,14 @@ defineProps<{
 const chatOptions = useOptions();
 const clickedButtonIndex = ref<number | null>(null);
 
-const isValidOrigin = (link: string): boolean => {
+const isButtonVisible = (link: string, index: number): boolean => {
 	try {
 		const validOrigin = new URL(chatOptions.options.webhookUrl).origin;
 		const url = new URL(link, window.location.href);
-		return url.origin === validOrigin;
+		if (url.origin !== validOrigin) {
+			return false;
+		}
+		return clickedButtonIndex.value === null || index === clickedButtonIndex.value;
 	} catch {
 		return false;
 	}
@@ -46,10 +49,7 @@ const onClick = async (link: string, index: number) => {
 		<div :class="$style.buttons">
 			<template v-for="(button, index) in buttons" :key="button.text">
 				<Button
-					v-if="
-						isValidOrigin(button.link) &&
-						(clickedButtonIndex === null || index === clickedButtonIndex)
-					"
+					v-if="isButtonVisible(button.link, index)"
 					element="button"
 					:type="button.type"
 					:disabled="index === clickedButtonIndex"