Hello,
I don’t believe I’ve seen documented anywhere all of the Square domains that need to be whitelisted when employing Content Security Policy (Content Security Policy (CSP) - HTTP | MDN) in conjunction with the Web Payments SDK. It’s easy enough to figure out by following the breadcrumbs of complaint that a browser will log to the console, but it would be nice if this information was documented and thus a bit more contractual, especially if it were to ever change. Thanks.
You’ll want to enable traffic through the following ports.
- squareup.com:80
- squareup.com:443
- api.squareup.com:443
- connect.squareup.com:443
- connect.squareupsandbox.com:443
- docs.connect.squareup.com:443
Your right we don’t document this and we can look into adding this to our documentation. Thanks for pointing this out. 
This are the settings that I’ve found to be necessary:
Sandbox
script-src
https://*.squarecdn.com
https://js.squareupsandbox.com
connect-src
https://pci-connect.squareupsandbox.com
Production
script-src
https://*.squarecdn.com
https://js.squareup.com
connect-src
https://pci-connect.squareup.com
There should also be verbiage around having to use a Nonce with the inline script provided at https://developer.squareup.com/reference/sdks/web/payments when using CSP.
(This sample HTML snippet has been very handy and works well, although I think there is opportunity to make it a little less brittle. A topic for another post however…)
Thanks
We’re constantly working to improve our features based on feedback like this, so I’ll be sure to share your request to the API product team.