From quick search, I only found mxr.mozilla.org as XMLHTTPRequest which would need connect-src. Others are generic code from jquery.
Note that crxcavator also identified multiple javascript libraries which would need an update. (low to medium severity)
This just adds content-security-policy to Chrome/Firefox/Opera manifests which should decrease risk score on https://crxcavator.io/report/jeoacafpbcihiomhlakheieifhpjdfeo?platform=Chrome&new_scan=true
From quick search, I only found mxr.mozilla.org as XMLHTTPRequest which would need connect-src. Others are generic code from jquery. Note that crxcavator also identified multiple javascript libraries which would need an update. (low to medium severity)