This are the settings that I’ve found to be necessary:
Sandbox
script-src
https://*.squarecdn.com
https://js.squareupsandbox.com
connect-src
https://pci-connect.squareupsandbox.com
Production
script-src
https://*.squarecdn.com
https://js.squareup.com
connect-src
https://pci-connect.squareup.com
There should also be verbiage around having to use a Nonce with the inline script provided at https://developer.squareup.com/reference/sdks/web/payments when using CSP.
(This sample HTML snippet has been very handy and works well, although I think there is opportunity to make it a little less brittle. A topic for another post however…)
Thanks