When accessing a notebook page (e.g. @tmcw/module-require-debugger) the img-src directive in the Content-Security-Policy header repeats the URL https://static.observableusercontent.com twice. This might indicate a bug, as e.g. frame-src also lists https://*.static.observableusercontent.com, which is missing from img-src.
All directives for the example link:
default-src 'self' https://api.observablehq.com https://static.observableusercontent.com https://tmcw.static.observableusercontent.com;
connect-src https://api.observablehq.com wss://ws.observablehq.com https://connector.observableusercontent.com https://www.google-analytics.com https://checkout.stripe.com;
font-src 'none';
frame-ancestors 'none';
frame-src https://*.static.observableusercontent.com https://static.observableusercontent.com https://checkout.stripe.com data: blob:;
img-src https://static.observableusercontent.com https://static.observablehq.com https://static.observablehq.com https://*.githubusercontent.com https://*.stripe.com https://avatars.observableusercontent.com https://www.google-analytics.com data: blob:;
manifest-src 'none';
media-src 'none';
object-src 'none';
prefetch-src https://api.observablehq.com https://*.static.observableusercontent.com https://static.observableusercontent.com https://tmcw.static.observableusercontent.com;
script-src https://static.observablehq.com https://www.google-analytics.com https://checkout.stripe.com 'sha256-ejNFw8OWeqK4msja7DzrFHtVgd9bNQPmWaI1bmZJV2U=' 'sha256-9sXPIN9u6mwFn28E0B3jX7FUr/Jswayo8yNyp7IdyZg=';
style-src https://static.observablehq.com 'unsafe-inline';
worker-src 'none'