I think this is something Meteor is doing, because their docs seem to think connectSrc should allow everything:

[.....] except for connect which allows anything (since meteor apps make websocket connections to a lot of different origins).