The new default CSP stops pages/scripts inside the extension from loading resources from outside the extension. It doesn't stop pages/scripts outside the extension loading resources from inside the extension.
And besides that, the default CSP does not include a "connect-src" policy so it does not place any limits at all on XMLHttpRequest, which is the method used by the sniffing demo. It includes only "script-src" and "object-src" policies, which affect only the src attributes of <script> and <object> elements.
(If someone here has an example Chrome extension that uses manifest_version 2 or an explicit content_security_policy, then we can test this directly...)
---
UPDATE: I tested this locally with a bare-bones extension, and adding "manifest_version: 2" does prevent sniffing in Chrome 18.
I also tried adding { "content_security_policy": "script-src 'self'; object-src 'self'" } explicitly to an extension without bumping the manifest_version. This did not prevent sniffing. So it looks like there's no way to prevent sniffing in extensions for Chrome 17 and older.
So while it's not directly related to the new default CSP, it looks like the sniffing issue is in fact addressed in Chrome 18 for extensions that opt in to the new manifest_version.
UPDATE 2: See abarth's top-level comment for the details of the fix.
And besides that, the default CSP does not include a "connect-src" policy so it does not place any limits at all on XMLHttpRequest, which is the method used by the sniffing demo. It includes only "script-src" and "object-src" policies, which affect only the src attributes of <script> and <object> elements.
(If someone here has an example Chrome extension that uses manifest_version 2 or an explicit content_security_policy, then we can test this directly...)
---
UPDATE: I tested this locally with a bare-bones extension, and adding "manifest_version: 2" does prevent sniffing in Chrome 18.
I also tried adding { "content_security_policy": "script-src 'self'; object-src 'self'" } explicitly to an extension without bumping the manifest_version. This did not prevent sniffing. So it looks like there's no way to prevent sniffing in extensions for Chrome 17 and older.
So while it's not directly related to the new default CSP, it looks like the sniffing issue is in fact addressed in Chrome 18 for extensions that opt in to the new manifest_version.
UPDATE 2: See abarth's top-level comment for the details of the fix.