Hello!
It will be useful for us to have in the Snipcart Documentation the CSP for the Snipcart Checkout integration (all domains / sub-domains by type used by Snipcart).
For the moment, I have been able to write this:
default-src 'self'; script-src 'self' cdn.snipcart.com 'unsafe-eval'; style-src 'self' cdn.snipcart.com; connect-src 'self' app.snipcart.com cdn.snipcart.com payment.snipcart.com; font-src 'self' fonts.bunny.net; frame-src 'self' payment.snipcart.com
But if the domains evolve in the future, the checkout could become unusable. It would be interesting to have an official CSP directive.