The altered language significantly weakened the stance that browsers should bypass Content Security Policy for user-supplied add-ons, and suggests that providing the capability for users or add-ons to modify the Content Security Policy is optional. And it is.
Content Security Policy is currently being enforced by all major browsers, and is used by major websites like GitHub, Twitter, and Medium. Support for modifying Content Security Policy is non-existent for users, tenuous for browser extensions, and impossible for bookmarklets. The end result is, unfortunately, an all too familiar story: we’ve sacrificed end-user freedom for the promise of additional security.
