[k1m]

> Is it possible for the extension to just filter the page context and make a remote request by some other means?

Yes it is. I think what you describe is in fact the preferred way for extensions that need to communicate with a remote service are expected to work, and when implemented that way, the CSP rules (rightly) don't apply.

From what I understood of the article, this alternative way of sending data isn't what they mean by extensions tampering with security headers. The article doesn't go into detail but it would be interesting to see if the header tampering is necessary in all these cases, or if a different approach could work without triggering CSP.