0 response to /oauth/token in SPA using canonical domain

Problem Statement

Auth0 is blocking logging in. Below is the error

Refused to frame 'https://*******.au.auth0.com/' because it violates the following Content Security Policy directive: "default-src 'self'". Note that 'frame-src' was not explicitly set, so 'default-src' is used as a fallback.
  • 0 response when calling /oauth/token with canonical domain
  • The response headers for their SPA include: Content-Security-Policy default-src ‘self’


  • default-src 'self': - this directive will force “everything” (all fetch directives - CSP: default-src - HTTP | MDN) - to be loaded via from current domain only.

  • The default-src 'self' policy is getting violated because the root domain on the application does not match the canonical tenant domain (the application is trying to fetch data from a different domain).


  • add a custom domain

  • If the custom domain solution will not work, perhaps the Content Security Policy for the SPA can be changed from default-src 'self' to default-src https: (for example). Here are all the possible values: Content-Security-Policy - HTTP | MDN