XWiki currently doesn't set a CSP header. If you see a CSP header I think it comes from some reverse proxy or web server and it needs to be configured there, I think there is nothing XWiki can do about that.