I am all for a certain level of irony, but I find it a bit odd that the interface requires an insecure CSP:

default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' cdnjs.cloudflare.com; style-src 'self' 'unsafe-inline' unpkg.com; report-to 'self' csp.0x6d70.de;

While sure, the risk in this case is likely manageable, I find it less than ideal to require unsafe-inline and unsafe-eval as a script-src. I would also use this moment to suggest serving the assets locally as to make the CSP more concise. I would've loved to use the application to debug the applications CSP though. That would've been awesome.