Extensions should bypass a page's Content Security Policy when executing XMLHTTPRequest from a content script. They currently aren't, which is a bug. I've filed https://bugs.webkit.org/show_bug.cgi?id=104480 to take a look at fixing it.

Are you executing XHR from your extension's content script, or are you executing it in the background page? The latter should work right now.