CSP (content security policy) breaks some sites when they are launched from an existing web page

Description

As mentioned in the title, csp (content security policy) breaks some sites when they are launched from an existing page. I use a simple page as my new tab and launch the 20+ sites I mostly visit from there. Right now, facebook and cockpit (local page, web console for linux servers) are affected. The error output in brave’s console (f12 > console) always looks similar to this

Refused to execute inline script because it violates the following Content Security Policy directive: "script-src *". Either the 'unsafe-inline' keyword, a hash ('sha256-random numbers and letters'), or a nonce ('nonce-...') is required to enable inline execution.

This can also be considered a followup of #13929

Steps to Reproduce

1. Create a simple web page locally, e.g.

<html>
<head>
<title>a simple page</title>
</head>
<body>
<a href="https://www.facebook.com/">Facebook</a>
<a href="https://192.168.1.5:9090">Cockpit</a>
</body>
</html>

1. Open it in brave.
2. Click on any of the 2 links mentioned.
3. Notice that the pages appear broken.
4. The errors appear in the console (f12 > console)

Actual result:

Facebook’s page appears completely blank. Cockpit’s appears like so

Expected result:

I assume everyone knows how facebook’s main page looks. Cockpit’s should appear like so, prompting the user for credentials.

Reproduces how often:

Easily.

Brave version (brave://version info)

Brave 1.25.68 Chromium: 91.0.4472.77 (Official Build) (64-bit) Revision 1cecd5c8a856bc2a5adda436e7b84d8d21b339b6-refs/branch-heads/4472@{# 1246} OS Linux

Version/Channel Information:

• Can you reproduce this issue with the current release? Yes
• Can you reproduce this issue with the beta channel? Probably
• Can you reproduce this issue with the nightly channel? Probably

Other Additional Information:

• Does the issue resolve itself when disabling Brave Shields? No
• Does the issue resolve itself when disabling Brave Rewards? No
• Is the issue reproducible on the latest version of Chrome? No. Tested on chrome unstable, v93.0.4530.5 as of today.

Miscellaneous Information:

In order for facebook to appear blank, the user must be already logged in in facebook. If not, it shows the usual facebook login page but the same errors on the console.

Moreover, if the forementioned link leads to any of facebook’s subpages, e.g.

facebook.com/messages
facebook.com/bravesoftware

the page appears blank as well and the same errors appear on the console.

Last but not least, if instead of pressing the link, the user types the url in the address bar, each page opens with no issues and no errors in the console.