Content Security Policy Errors in Square Web Payments SDK

Hi Square Team,

I’ve integrated the Square Web Payments SDK (sandbox environment) into my Angular application. Recently, I started seeing Content Security Policy (CSP) errors in the browser console related to font loading inside the Square iframe.

These errors were not appearing earlier, but now they consistently show up. However, the payment flow itself is working correctly — card input renders, tokenization succeeds, and there are no functional issues.

I also checked the official demo application’s DevTools and noticed similar CSP console errors there as well.

Example error:
Loading the font ‘’ violates the following Content Security Policy directive: “font-src ‘report-sample’”. The action has been blocked.

I wanted to confirm:

• Is this due to a recent update or change in the Square Web Payments SDK or sandbox environment?

• Is this expected behavior?

• Do I need to make any changes on my side, or is it safe to ignore these console errors?

I’m noticing the same errors. There seems to be an issue with the Content-Security-Policy of the iframe (https://web.squarecdn.com/1.83.0/single-card-element-iframe.html) loaded in by the SDK. The payment form still works fine though. So it’s probably just not loading the intended font.

Thanks for share real breakdown. MyLoanCare com