diff --git a/plugins/csp/config.inc.php b/plugins/csp/config.inc.php
index c12bb45da613f48a6b240a3afc38f857cca9b971..1f2461a041611e602da793a0971362faf1f8747b 100644
--- a/plugins/csp/config.inc.php
+++ b/plugins/csp/config.inc.php
@@ -4,3 +4,6 @@
 // Set it to the relative URL path of the Roundcube installation.
 $config['csp_script_path'] = '/';
 
+// If non-empty, the proto + hostname to allow SSO requests,
+// e.g. https://sso.domain.org
+$config['csp_sso_hostname'] = '';
diff --git a/plugins/csp/csp.php b/plugins/csp/csp.php
index 3bcd90041aeee2599ce775045b47d53061f17c42..e613dc63c0190efa9a2336574857d24eeb722e7b 100644
--- a/plugins/csp/csp.php
+++ b/plugins/csp/csp.php
@@ -20,10 +20,16 @@ class csp extends rcube_plugin {
     $host = $_SERVER['HTTP_HOST'];
     $proto = rcube_utils::https_check() ? 'https' : 'http';
     $path = $rcmail->config->get('csp_script_path', '/');
+    $src_sso = "";
+    $sso_hostname = $rcmail->config->get('csp_sso_hostname', '');
+    if($sso_hostname != '') {
+      $src_sso .= "{$sso_hostname}";
+    }
     $csp_header = (
-        "default-src 'self'; " .
-        "script-src 'self' {$proto}://{$host}{$path} 'unsafe-inline' 'unsafe-eval'; " .
-        "style-src 'self' 'unsafe-inline'; object-src 'none'");
+        "default-src 'self' {$src_sso}; " .
+        "script-src 'self' {$proto}://{$host}{$path} 'unsafe-inline' 'unsafe-eval' {$src_sso}; " .
+        "style-src 'self' 'unsafe-inline' {$src_sso}; " .
+        "object-src 'none'");
     header("Content-Security-Policy: {$csp_header}");
     return $content;
   }