diff --git a/src/oidc.js b/src/oidc.js
index 5318ed33d..414b8c0ab 100644
--- a/src/oidc.js
+++ b/src/oidc.js
@@ -487,6 +487,17 @@ function renderInteractionPage(provider) {
 
                 options.submitUrl = `${ROUTE_PREFIX}/interaction/${uid}/${options.hasAccess ? 'confirm' : 'abort'}`;
 
+                let formActionRule = '*';
+                // add custom schemata to csp form-action rules
+                client.loginRedirectUri.split(',').forEach((u) => {
+                    try {
+                        const url = new URL(u);
+                        if (url.protocol) formActionRule += ` ${url.protocol}`;
+                    } catch (e) {}
+                });
+
+                res.set('Content-Security-Policy', `"default-src 'none'; frame-src 'self' cloudron.io *.cloudron.io; connect-src wss: https: 'self' *.cloudron.io; script-src https: 'self' 'unsafe-inline' 'unsafe-eval'; img-src * data:; style-src https: 'unsafe-inline'; object-src 'none'; font-src https: 'self'; frame-ancestors 'none'; base-uri 'none'; form-action ${formActionRule};"`);
+
                 return res.render('interaction', options);
             }
             default: