We should consider merging <https://src.chromium.org/viewvc/blink?view=rev&revision=185554>. CSP: Permit exempting schemes only for certain policy areas. Only the image and style policy areas are included in this CL, but the approach can be easily extended to other policy areas if desired.
<rdar://problem/24383303>
This issue is not applicable to WebKit as we do not have Blink-in-JS. In WebKit we make use of user agent shadow DOM and isolated worlds to implement browser features using markup and JavaScript, respectively. The Content Security Policy of a page applies to neither an isolated world nor to sub resource loads initiated from a user agent shadow DOM.