It is documented, it’s just documented in the CSP documentation https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src
It’s a standard adopted by most browsers, and is beyond the scope of the Twitch documentation to go into too much detail on standards external to Twitch (such as if you want more information on OAuth, you would go read the OAuth2.0 specification document rather than Twitch including it all in their docs).