To make cross-origin XHRs, you don't need to care about CSP. What you need to add in the manifest is host permissions for those hosts you need to access. Read https://developer.chrome.com/trunk/extensions/xhr.html for more information.
On the other hand, if your extension loads scripts (<script src="..."></script>) from an external web server, you must be aware of CSP. First, the server hosting the scripts must be HTTPS. Then, whilelist it in CSP as described in https://developer.chrome.com/trunk/extensions/contentSecurityPolicy.html#relaxing-remote-script.
Whitelisting a HTTP origin in 'script-src' is prohibited to prevent man-in-the-middle attacks and other security isuses so that your extension doesn't load.