diff --git a/roles/web-svc-logout/tasks/01_core.yml b/roles/web-svc-logout/tasks/01_core.yml
new file mode 100644
index 00000000..9a4111e1
--- /dev/null
+++ b/roles/web-svc-logout/tasks/01_core.yml
@@ -0,0 +1,31 @@
+- name: "Add logout domains to CSP connect-src"
+  set_fact:
+    applications: >-
+      {{
+        applications | combine(
+          {
+            application_id: {
+              'server': {
+                'csp': {
+                  'whitelist': {
+                    'connect-src': LOGOUT_CONNECT_SRC_NEW
+                  }
+                }
+              }
+            }
+          },
+          recursive=True
+        )
+      }}
+
+- name: "load docker, proxy for '{{ application_id }}'"
+  include_role:
+    name: sys-stk-full-stateless
+
+- name: Create symbolic link from .env file to repository
+  file:
+    src:    "{{ docker_compose.files.env }}"
+    dest:   "{{ [ docker_repository_path, '.env' ] | path_join  }}"
+    state:  link
+
+- include_tasks: utils/run_once.yml
\ No newline at end of file
diff --git a/roles/web-svc-logout/tasks/main.yml b/roles/web-svc-logout/tasks/main.yml
index 2fdf8c33..bff786dd 100644
--- a/roles/web-svc-logout/tasks/main.yml
+++ b/roles/web-svc-logout/tasks/main.yml
@@ -1,14 +1,4 @@
 ---
 - block:
-  - name: "load docker, proxy for '{{ application_id }}'"
-    include_role:
-      name: sys-stk-full-stateless
-
-  - name: Create symbolic link from .env file to repository
-    file:
-      src:    "{{ docker_compose.files.env }}"
-      dest:   "{{ [ docker_repository_path, '.env' ] | path_join  }}"
-      state:  link
-
-  - include_tasks: utils/run_once.yml
+    - include_tasks: 01_core.yml
   when: run_once_web_svc_logout is not defined
\ No newline at end of file
diff --git a/roles/web-svc-logout/templates/env.j2 b/roles/web-svc-logout/templates/env.j2
index 51813496..c869d44d 100644
--- a/roles/web-svc-logout/templates/env.j2
+++ b/roles/web-svc-logout/templates/env.j2
@@ -1,5 +1,5 @@
 # Comma‑separated list of all subdomains to log out (no spaces)
-LOGOUT_DOMAINS={{ logout_domains }}
+LOGOUT_DOMAINS={{ LOGOUT_DOMAINS | join(',') }}
 
 # Port the logout service will listen on inside the container
 LOGOUT_PORT={{ container_port }}
diff --git a/roles/web-svc-logout/vars/main.yml b/roles/web-svc-logout/vars/main.yml
index f17da19a..0b693e70 100644
--- a/roles/web-svc-logout/vars/main.yml
+++ b/roles/web-svc-logout/vars/main.yml
@@ -6,7 +6,7 @@ container_port:               8000
 # The following line leads to that services which arent listed directly in the inventory, 
 # but are called over other roles, aren't listed here 
 # @todo implement the calling of also dependency domains (propably the easiest to write a script which adds all dependencies to group_names)
-logout_domains: >-
-  {{
-    (applications | logout_domains(group_names)) | unique | join(',')
-  }}
+LOGOUT_DOMAINS:               "{{ (applications | logout_domains(group_names)) | unique }}"
+LOGOUT_ORIGINS:               "{{ LOGOUT_DOMAINS | map('regex_replace', '^(.*)$', WEB_PROTOCOL ~ '://\\1') | list }}"
+LOGOUT_CONNECT_SRC_OLD:       "{{ applications | get_app_conf(application_id,'server.csp.whitelist.connect-src') }}"
+LOGOUT_CONNECT_SRC_NEW:       "{{ (LOGOUT_CONNECT_SRC_OLD + LOGOUT_ORIGINS) | unique }}"
\ No newline at end of file