CSP xhr-src is missing
The current plan is to not implement this directive at this time. This directive is different from the other "src" directives in that it controls a DOM API rather than an HTML element. There are other DOM APIs that aren't covered, such as new Worker(). It seems like the main value in CSP is in controlling what HTML elements can do.