CSP bypass for chrome extensions: http://www.planbox.com/blog/development/coding/bypassing-githubs-content-security-policy-chrome-extension.html

background.js

// Listens when new request
chrome.webRequest.onHeadersReceived.addListener(function(details) {
  for (i = 0; i < details.responseHeaders.length; i++) {
 
    if (isCSPHeader(details.responseHeaders[i].name.toUpperCase())) {
      var csp = details.responseHeaders[i].value;
 
      // append "https://mysite.com" to the authorized sites
      csp = csp.replace('script-src', 'script-src https://mysite.com');
      csp = csp.replace('style-src', 'style-src https://mysite.com');
 
      details.responseHeaders[i].value = csp;
    }
  }
 
  return { // Return the new HTTP header
    responseHeaders: details.responseHeaders
  };
}, {
  urls: ["https://github.com/*"],
  types: ["main_frame"]
}, ["blocking", "responseHeaders"]);
 
 
function isCSPHeader(headerName) {
  return (headerName == 'CONTENT-SECURITY-POLICY') || (headerName == 'X-WEBKIT-CSP');
}

manifest.json

// "webRequest", "webRequestBlocking" allow for header interception
{
  "name": "Myextension",
  "version": "1.0",
  "manifest_version": 2,
  "permissions": [
    "management",
    "webRequest",
    "webRequestBlocking",
    "http://mysite.com/*",
    "https://github.com/*/issues/*",
    "https://github.com/*/pull/*"
  ]
  "background": {
    "scripts": ["background.js"],
    "persistent": true
  }
  "content_scripts": [
    {
      "matches": [
        "https://github.com/*/issues/*",
        "https://github.com/*/pull/*"
      ],
      "js": [
        "contentscript.js"
      ]
    }
  ]
}

This example helped me. But I found that starting from Chrome 79 we also need 'extraHeaders'. Otherwise the headers will not be changed.
I.e. like this:

// extraInfoSpec
["blocking","responseHeaders", "extraHeaders"]

See the link https://stackoverflow.com/a/59296870/6331473