Thanks for your reply. The violation can be triggered by any script or style inserted, or even by an with a src that does not adhere to the img-src CSP directive. Doing so will result in an securitypolicyviolation event and related error message in the inspector console. The same extension works without issue at least in Chrome.
I'll file a report for this with more detailed info and a sample extension. Thanks!
Topic:
Web Extensions
SubTopic:
Web Extensions Q&A