Regarding the CSS Expression issue .. wouldn't it be simpler to rewrite the spec to say 'UAs MUST only execute external scripts originating from the allowed list. All other forms of script execution MUST be disabled.'
Allowed list has the same origin by default and other origins are added according to script-src directive. The second line basically means no inline, no event handlers no javascript uris no CSS etc. etc.
Essentially, you want to whitelist and not blacklist in the spec (you can keep the blacklist as an additional feature ). Duryodhan