For context: CSP policies often block blob: as its a way of doing eval(). eval() and friends are high risk for injection attacks, as often they involve executing the result of string manipulations. Of course, in our context this is kind of a moot point since we currently allow 'unsafe-eval'.
Anyways, not sure if we should allow blob: generally, or if NavigationTiming should enable it in a hook. Leaning towards the latter.