Upstream issue: https://github.com/keycloak/keycloak/issues/24568

When Front channel logout is configured for a oidc client the logout is performed using an iframe to call the client front-channel URL. For example in my sample client:

  sample-rhsso
  <iframe src="http://localhost:8081/sample-rhsso/logout?sid=310d5fbf-7df7-4d75-957d-46208cdb77c2&amp;iss=http%3A%2F%2Flocalhost%3A8080%2Frealms%2Fmaster" style="display:none;"></iframe>

The CSP header by default is modified to allow client URL in the iframe adding the hostname of the client backchannel URL to the frame-src poclicy. In my sample:

Content-Security-Policy: frame-src localhost:8081 ; object-src 'none';

If a custom CSP header is configured in the realm the frame-src is not modified and therefore the iframe is not called because it's not allowed. For example is I change my realm Realm Settings -> Security Defenses -> Content-Security-Policy to frame-src 'self'; frame-ancestors 'self'; object-src 'none'; style-src 'self';.

I'm just adding the style-src directive to the default CSP value but now the CSP received by the browser is:

Content-Security-Policy: frame-src 'self'; frame-ancestors 'self'; object-src 'none'; style-src 'self';

And the backchannel URL is not called because it's not allowed by the CSP. So the client is not logged out.