Nice.

src/snek/system/middleware.py

@@ -5,13 +5,15 @@
 import secrets
 from aiohttp import web
 
+
 @web.middleware
 async def csp_middleware(request, handler):
     nonce = secrets.token_hex(16)
+    origin = request.headers.get('Origin')
     csp_policy = (
         "default-src 'self'; "
-        f"script-src 'self' https://umami.molodetz.nl 'nonce-{nonce}'; "
-        "style-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net; "
+        f"script-src 'self' {origin} 'nonce-{nonce}'; "
+        f"style-src 'self' 'unsafe-inline' {origin} 'nonce-{nonce}'; "
         "img-src *; "
         "connect-src 'self' https://umami.molodetz.nl; "
         "font-src *; "
@@ -28,6 +30,7 @@ async def csp_middleware(request, handler):
     response.headers['Content-Security-Policy'] = csp_policy
     return response
 
+
 @web.middleware
 async def no_cors_middleware(request, handler):
     response = await handler(request)

src/snek/templates/sandbox.html

@@ -1,6 +1,6 @@
 <div id="star-tooltip" class="star-tooltip"></div>
 <div id="star-popup" class="star-popup"></div>
-<script type="module">
+<script type="module" nonce="{{nonce}}">
 import { app } from "/app.js";
 import {WebTerminal} from "/dumb-term.js";