Application Security - Strict CSP form-action for login with Auth0 connections

I’m trying to increase the security of our application’s CSP and I have run into issues during the login process. Specifically around the use of form-action on the login call. The same issue applies for logging out, but as there is just a single logout URL it is relatively simple to add the url to our CSP.

This issue has been discussed in depth on the WebAppSec Content Security Policy github issue CSP: form-action and redirects · Issue #8 · w3c/webappsec-csp · GitHub, and it looks like other auth providers have run into a similar issue. I’m looking for advice on how to best approach this with auth0.

Example, I have a logout form button which points to /auth/logout, which then 302 redirects to https://#{AUTH0_DOMAIN}/v2/logout. My form-action csp for logout looks like:

form-action 'self' https://#{AUTH0_DOMAIN}/v2/logout;

Where I am running into trouble is creating a more strict CSP rule for our login page. Example, I have a login form button which points to /auth/auth0, which then, depending on the user’s interactions goes through a series of form 302 redirects, each which needs a form-action entry in the CSP to work:

Redirect 1. https://#{AUTH0_DOMAIN}/authorize
Redirect 2. https://#{AUTH0_DOMAIN}/u/login/identifier
Redirect 3.
Redirect 4.

To get this working my form-action csp on the login page looks as follows (formatted with new lines for ease of reading):

form-action 'self'

I’m not opposed to listing all possible redirects in the CSP, however I worry that I might miss some, ie what if I add facebook login? Or what if google auth2 login has an extra redirect step?

Is there a better approach here, or a way to ask auth0 for all possible redirect urls? What are others doing to combine a stricter CSP with Auth0 and login form redirects?

Application level logout uses v2/logout , while to logout of all other identity providers add federated parameter like: /v2/logout?federated.
More info here. Federate Logout and SLO

@spoudel The question is about the Content Security Policy (CSP) header disallowing specific urls not federated logouts.

Sorry for the misunderstanding, Ive not added CSP form-action on my login pages so, I’m not aware of any method to get all the possible redirect urls.
I can see how it can be greatly useful if the identity providers added all possible redirect URLs in the well-known-jks endpoint.