There is an issue with apps scripts/requests, It throws an error on browser console related to security CSP reports, Here is an example error:
[Report Only] Refused to connect to 'https://XXX' because it violates the following Content Security Policy directive: "connect-src 'self' .shopifycloud.com .shopifysvc.com .amazon.com .paypal.com *.facebook.com sessions.bugsnag.com analytics.tiktok.com bat.bing.com www.google-analytics.com ct.pinterest.com stats.g.doubleclick.net".
So it seems external scripts are allowed from certain domains only.
The error shows
[Report Only] which means the error is informational and shouldn't affect how the script loads. Can you confirm in the network console that the script is indeed being blocked? If this is the case please provide a shop_id or page URL and we can investigate further.
I'm not seeing anything in the console, what are you seeing that suggests there's an issue?
Note that if the console error shows
[Report Only] this indicates the policy isn't actually being enforced, so any scripts that show up in an error like this aren't being blocked.
I see the [Report Only] warning on cart page (not ajax cart-- you can get to cart page by viewing on mobile), but now i'm not seeing it anymore. The issue that may have been related was that hitting the "Checkout" button from cart page was causing a page reload instead of moving the user into checkout. I'm not able to replicate it anymore though, unfortunately.
My earlier comment had a misunderstanding. Researching this further, this console error is emitted by Chrome (and likely other browsers) and is controlled by the document's 'content-security-policy-report-only' header. I can't fault Shopify for wanting to use this header, so I have sent feedback to Chrome requesting that this log at the warning level.