don't allow unsafe styles in CSP

static/404.html

@@ -4,45 +4,9 @@
     <meta charset="utf-8">
     <meta name="viewport" content="width=device-width, initial-scale=1">
     <title>Page Not Found</title>
-    <style media="screen">
+    <link rel="stylesheet" href="/style.css">
-      body {
-        background: #efefef;
-        color: #5f5f5f;
-        font-family: Helvetica, Arial, sans-serif;
-        margin: 0;
-        padding: 0;
-      }
-      #message {
-        background: #ffffff;
-        max-width: 400px;
-        margin: 100px auto 16px;
-        padding: 16px 32px;
-        border-radius: 4px;
-        box-shadow: 0 1px 3px #e0e0e0, 0 1px 2px #888888;
-      }
-      #message h1 {
-        margin: 16px 0;
-        font-size: 22px;
-        font-weight: 300;
-      }
-      #message p {
-        margin: 16px 0;
-        font-size: 14px;
-        line-height: 140%;
-      }
-      #message a {
-        color: #039be5;
-      }
-      @media (max-width: 600px) {
-        body, #message {
-          background: #ffffff;
-          margin-top: 16px;
-          box-shadow: none;
-        }
-      }
-    </style>
   </head>
-  <body>
+  <body id="error">
     <div id="message">
       <h1>Well, this is embarassing... &#x1F633;</h1>
       <p>The specified file was not found on this website. Please check the URL for mistakes and try again, or <a href="https://jarv.is/">go home</a>.</p>

static/style.css

@@ -462,7 +462,7 @@ body#home h1 span#wave {
 
 
 
-/*! Blog CSS */
+/*! Blog Styles */
 
 body#notes {
   font-size: 18px;
@@ -753,3 +753,42 @@ body#notes div#archive div.year div.title {
   width: 620px;
 }
 
+
+
+/*! Error Styles */
+
+body#error {
+  background: #efefef;
+  color: #5f5f5f;
+  font-family: Helvetica, Arial, sans-serif;
+  margin: 0;
+  padding: 0;
+}
+body#error div#message {
+  background: #ffffff;
+  max-width: 400px;
+  margin: 100px auto 16px;
+  padding: 16px 32px;
+  border-radius: 4px;
+  box-shadow: 0 1px 3px #e0e0e0, 0 1px 2px #888888;
+}
+body#error div#message h1 {
+  margin: 16px 0;
+  font-size: 22px;
+  font-weight: 300;
+}
+body#error div#message p {
+  margin: 16px 0;
+  font-size: 14px;
+  line-height: 140%;
+}
+body#error div#message a {
+  color: #039be5;
+}
+@media (max-width: 600px) {
+  body#error, body#error div#message {
+    background: #ffffff;
+    margin-top: 16px;
+    box-shadow: none;
+  }
+}

worker.js

@@ -1,5 +1,5 @@
 let newHeaders = {
-  "Content-Security-Policy": "default-src 'none'; script-src 'self' stats.jarv.is 'sha256-QwZM+dNl2R1KcXo8ORmpT3mqAVwIBbEcJBmWYurBNv4='; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self'; object-src 'self'; media-src 'self'; base-uri 'none'; form-action 'self'; frame-src 'self' www.youtube.com; frame-ancestors 'self'; worker-src 'none'; connect-src 'self' jarvis.report-uri.com stats.jarv.is; upgrade-insecure-requests; report-uri https://jarvis.report-uri.com/r/d/csp/enforce; report-to default",
+  "Content-Security-Policy": "default-src 'none'; script-src 'self' stats.jarv.is 'sha256-QwZM+dNl2R1KcXo8ORmpT3mqAVwIBbEcJBmWYurBNv4='; style-src 'self'; img-src 'self' data: https:; font-src 'self'; object-src 'self'; media-src 'self'; base-uri 'none'; form-action 'self'; frame-src 'self' www.youtube.com; frame-ancestors 'self'; worker-src 'none'; connect-src 'self' jarvis.report-uri.com stats.jarv.is; upgrade-insecure-requests; report-uri https://jarvis.report-uri.com/r/d/csp/enforce; report-to default",
   "Report-To": "{\"group\":\"default\",\"max_age\":604800,\"endpoints\":[{\"url\":\"https://jarvis.report-uri.com/a/d/g\"}]}",
   "NEL": "{\"report_to\":\"default\",\"max_age\":604800}",
 //  "Strict-Transport-Security" : "max-age=1000",