(from a conversation with @DonKult)

The sha256 is for the script-tag livereload inserts. I could just leave
that in for production, but sometimes it would be handy to know if we
are 'build', 'serve'd or perhaps even 'show'n.

Well, super-ideally livereload would apply that themself although that
could become complicated really fast on less static sites.

Oh, interesting problem, that. I haven't yet gained CSP as a habit, shame on me.

Given the amount of monkey patching I had to do on livereload recently (see lepture/python-livereload#214), I've been wondering about ditching it as a dependency and reimplementing that functionality in staticsite. That would integrate well with an extra empty block in the base template that 'ssite serve' could fill with CSP.