Occasionally some genius has the idea to make a board and embed a file hosted at his 3rd party server to 'harvest' the IPs of those who open that board and loads the custom css. It is generally not a problem but every once in a while such malicious actor appears. We did work on the content security policy (csp) to prevent these forms of attacks, but there were some issues, and no pressing demand, so the matter got postponed a bit.
Now we're re enabling CSP, and this might break things on site. We'll see how it goes.
Here's an example of this. The user also goes by the Delastelle username, he uses it on other platforms as well.