Chrome extension cannot run content script before creation and not execute in-line script in nested cross site iFrame due to CSP

Question

I previously had a problem (Chrome extension fails to inject script into all types of iframes, even using matchOriginAsFallback=true) with my Chrome extension not loading it's content script before the parent accessed the iFrame (https://issues.chromium.org/issues/40202434)

I solved this by patching the HTMLIFrameWindow.contentWindow and appending my script there (in-line: contentWindow.document.documentElement.appendChild(script);)

Now I run into some sites that refuse to run the in-line script:

Refused to execute inline script because it violates the following Content Security Policy directive: "default-src 'self' data: xxx xxx xxx". Either the 'unsafe-inline' keyword, a hash ('sha256-w1az5K3Z41o4c3Hf8RBDo+1BZ0qgFj0ocsLXRstFf5U='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.

Is there any way around this?

I have tried to disable CSP through declarative_net_request : "header": "content-security-policy", "operation": "remove" Which made it work on more sites but not all.

On one site where it will not work I know that the parent frame has loaded the script and it works there, it is also loaded and works for iFrames that the main frame creates. However it breaks when one of the said iFrames created a cross site iFrame.