I have generated a csr with:
Requested Extensions:
X509v3 Key Usage:
Digital Signature
X509v3 Extended Key Usage:
Code Signing
If I now generate a csr without the above Requested Extensions: will it still be possible for the CA to add Code Signing usage to my certificate? (e.g. by requesting it through a web form?)
Yes. CAs often ignore extensions from incoming requests (though, depends on CA configuration) and include extensions based on CA configuration.
The only thing CA cannot modify from CSR is public key. Everything else can be changed by CA in issued certificate.