This is one of the most cursed errors that I've seen from a user:
freenode.logbot.info/grapheneos/202
Kaspersky is injecting code into the browser and using that to modify the CSP headers for JavaScript they inject into each web page. It breaks because they don't understand CSP fallbacks.
Conversation
I think the issue is they add a child-src rule permitting their injected code but don't consider that browsers fall back to script-src and then default-src. I have a feeling it could be worked around by setting a no-op child-src 'self'. I don't really want to add cruft for it...
Replying to
My two <insert-currency-sub-unit-here>s: don’t add cruft to play nice with AV.