Content Source Policy issue on custom css injection
In server/layout.css
there is an inline script-block to check if custom css should get injected. There is no nonce defined so the browser will throw an error if send is served via HTTPS. Fixing would require a) adding a nonce or b) moving the script server-side.