On the page https://www.asus.com/support/FAQ/1037906/, I see this CSP header:

default-src *.asus.com *.asus.com.cn https: 'unsafe-inline' 'unsafe-eval' blob: data: asus-support:; frame-ancestors 'self' *.asus.com *.asus.com.cn;

And yet the images on the page (served from kmpic.asus.com) are still shown to be being blocked due to CSP. Is this maybe because the images are served over http rather than https?

Yes.

1. default-src is the fallback for any missing -src directive
2. if there's no scheme then it's the same scheme as the current page.
3. https: already means any https: resource so the asus.com entries don't adding anything. they probably meant http://*.asus.com

This is working as intended from a CSP POV.

If the page works on Chrome it may be because they are automatically converting the http: urls to https for images. That is, they are (sort of) acting as if the CSP had a upgrade-insecure-request directive in it.

I see. It seems that must be it (it does work on Chrome, and the images are still served over HTTP). Is this something we can/should do as well? Or does Chrome intend to stop doing that, so Asus should fix it?