However, I'll +1 the application of the patch, with noted +0s above.
You were correct about the CSP issue; I could have sworn I had CSP in enforcing mode on my test server, but apparently not (hence the commit & revert on the main repo).
[For those wondering why we don't use a nonce instead, that wouldn't work with our caching infrastructure].
Here's a minor update that resolves it. The inline JS in the header is pushed out to a new file (because we need it to load in the header, to avoid color flashing as much as possible), and the buttons onclick attribute is replaced with an event handler. The inline CSS to hide the form wrapping the button (for non-JS browsers) has been replaced with the d-none class.
If you can give it a quick once-over, I'll get it committed and wrap this up ASAP.