@m15o it's only my settings i guess. i think inline js requires "style-src 'unsafe-inline'" enabled, but i didn't want to enable it, because that whole point of setting up csp in the first place is avoiding inline js :)

i think it's possible to also use sha256 hash and keep everything inline, but editing is harder then.

i uploaded yon to my server just to share, i think i prefer using it locally from a single file.