Hello,
Reply from RMS team:
"CSP headers are no longer set for /account/authorize endpoint in Production RMS environment.
Removing the CSP headers from all RMS pages would introduce a security risk because other websites could impersonate RMS using iframes."
Best regards,