(no title)

Additionally, I wonder how this works on sites with a Content Security Policy that disallows inline styles and style tags and stylesheets without a nonce.

I suppose if Cloudflare is proxying your site, they could get the nonce from the content-security-policy header and use that, but hopefully that would be an opt-in-only behavior.