As Extension:MapSources was mentioned: In dewp there are two pop-up maps commonly included in articles (cf. for example Berlin, icons to the right of "Koordinaten:"). Eventually, AFAIK the OSM map will be replaced by Extension:Kartographer; I don't know if there are plans for WikiMiniAtlas. Both currently reside in (Tool) Labs and need to be addressed at some point. If .wmflabs.org would be white-listed, due to the open nature of (Tool) Labs there would not be an effective protection against attacks.
Topic on Talk:Requests for comment/Content-Security-Policy
I suspect Wikivoyage will be affected much more because it uses map tiles from external sites. Even though we have switched the default tileset on most of languages, the Dutch community lead by FredTC has strongly opposed the switch. For that reason Interactive team had implemented a extra layers feature that is under the control of the community. This simply matches the existing functionality plus adds a proper warning for the users that they will be exposing their browsing to a 3rd party on click.
Stuff embedded as an iframe won't be immediately affected. <iframe>'s take the CSP policy of their source document, not the CSP policy of the document they are embedded in, except that the CSP policy of the embeding document can control what is allowed to be embedded. In this RFC, it doesn't include limitting child-src (ie What urls can be in iframe's) way until stage 7, which is a long way off. If we eventually do get there, we could possibly make an exception for OSM/WMA if that is so desired.
Bawolff, could you take a look at Maps with extra layers on en-Wikivoyage (the anchor jumps to the wrong place for some reason) - will that break? (the layers button in the upper right corner)
Yes, stage 7 would break that. We're probably not going to get there for a long time. But probably what we could do is have some sort of interface, where extensions could register extra sources that are allowed on a per-page basis.