Bug Description

The OpenClaw Control UI dashboard's hamburger menu is non-functional in version 2026.2.21-2 due to a Content Security Policy (CSP) violation that blocks external font loading.

Version

• OpenClaw: 2026.2.21-2 (beta channel)
• Browser: Chrome/Brave
• OS: macOS

Steps to Reproduce

1. Update to OpenClaw 2026.2.21-2 beta
2. Open dashboard: http://127.0.0.1:18789/?token=
3. Click the hamburger menu icon
4. Menu does not open

Console Error

Loading the stylesheet 'https://fonts.googleapis.com/css2?family=Space+Grotesk:wght@400;500;600;700&family=JetBrains+Mono:wght@400;500&display=swap' violates the following Content Security Policy directive: "style-src 'self' 'unsafe-inline'". Note that 'style-src-elem' was not explicitly set, so 'style-src' is used as a fallback. The action has been blocked.

Expected Behavior

• Google Fonts should load successfully
• Hamburger menu should open when clicked
• Dashboard UI should render correctly with proper fonts

Actual Behavior

• CSP blocks external font requests from fonts.googleapis.com
• Hamburger menu is non-functional
• Dashboard may have broken styling due to missing fonts

Impact

Users cannot access the hamburger menu navigation, limiting dashboard functionality.

Workaround

Roll back to 2026.2.15:

openclaw update --tag 2026.2.15 --yes
openclaw gateway restart

Fix Suggestion

Update the CSP header to allow fonts.googleapis.com:

style-src 'self' 'unsafe-inline' https://fonts.googleapis.com;

Or bundle fonts locally instead of loading from external CDN.