customBackendUrl blocked by restrictive CSP directive

[prismaticoder]

When using hyper-js with a customBackendUrl (for self-hosted deployments), the request is correctly routed to the custom backend.
However, the SDK injects a hardcoded Content Security Policy (CSP) directive that only allows specific Hyperswitch API (and localhost) domains. This prevents the browser from actually making the request to the configured customBackendUrl.

Example Code

const hyper = await loadHyper(publishable_key, {
  env: environment === "sandbox" ? "SANDBOX" : "PROD",
  customBackendUrl: "https://mycustombackend.com",
});

Observed Error

Refused to connect to 'https://mycustombackend.com/payments/session_tokens'
because it violates the following Content Security Policy directive:
"connect-src 'self' https://checkout.hyperswitch.io https://dev.hyperswitch.io 
 https://beta.hyperswitch.io https://live.hyperswitch.io https://integ.hyperswitch.io 
 https://integ-api.hyperswitch.io https://app.hyperswitch.io https://sandbox.hyperswitch.io 
 https://api.hyperswitch.io ... [etc]"

Expected Behavior:

When customBackendUrl is provided, the SDK should either:

• Not inject restrictive CSP headers at all, OR
• Dynamically include the customBackendUrl in the connect-src directive.

Impact:

This makes self-hosting unusable because the SDK effectively blocks communication with any non-Hyperswitch backend.

Environment:

• hyper-js version: ^2.0.4
• Deployment: Self-hosted backend with customBackendUrl

Steps to Reproduce:

• Initialize hyper-js with customBackendUrl.
• Attempt to create a payment session.
• See CSP violation error in the browser console.

Suggested Fix:

• Adjust CSP handling to allow customBackendUrl domains.
• Provide a way to opt out of SDK-injected CSP entirely for self-hosted scenarios.