Problem Statement
Auth0 is blocking logging in. Below is the error
Refused to frame 'https://*******.au.auth0.com/' because it violates the following Content Security Policy directive: "default-src 'self'". Note that 'frame-src' was not explicitly set, so 'default-src' is used as a fallback.
- 0 response when calling /oauth/token with canonical domain
- The response headers for their SPA include: Content-Security-Policy default-src ‘self’
Cause
-
default-src 'self':- this directive will force “everything” (all fetch directives - CSP: default-src - HTTP | MDN) - to be loaded via from current domain only. -
The
default-src 'self'policy is getting violated because the root domain on the application does not match the canonical tenant domain (the application is trying to fetch data from a different domain).
Solution
-
add a custom domain
-
If the custom domain solution will not work, perhaps the Content Security Policy for the SPA can be changed from
default-src 'self'todefault-src https:(for example). Here are all the possible values: Content-Security-Policy - HTTP | MDN