Skip to content

[Bug]: Control UI CSP blocks Google Fonts stylesheet - style-src violation breaks UI styling #25985

Closed
#29279
Closed
[Bug]: Control UI CSP blocks Google Fonts stylesheet - style-src violation breaks UI styling#25985
#29279
Labels
bugSomething isn't workingclose:duplicateClosed as duplicatededupe:childDuplicate issue/PR child in dedupe cluster
@Ahmedkasmi-dev

Description

@Ahmedkasmi-dev
Ahmedkasmi-dev
opened on Feb 25, 2026

Summary

Environment

  • Browser: Chrome/Edge/Firefox (all affected)
  • Config:

gateway.controlUi.allowedOrigins: ["*"]
gateway.controlUi.allowInsecureAuth: true
gateway.bind: "lan" (0.0.0.0:18789)

Steps to reproduce

  1. Deploy OpenClaw Control UI: http://[your-ip]:18789/
  2. Open DevTools (F12) → Console tab
  3. See CSP errors immediately:

Loading the stylesheet 'https://fonts.googleapis.com/css2?family=Space+Grotesk:wght@400;500;600;700&family=JetBrains+Mono:wght@400;500&display=swap' violates the following Content Security Policy directive: "style-src 'self' 'unsafe-inline'". Note that 'style-src-elem' was not explicitly set, so 'style-src' is used as a fallback. The action has been blocked.

  • Space Grotesk/JetBrains Mono fonts fail to load
  • UI layout/styling degraded
  • Console flooded with CSP violations
  • Core functionality works (bots/channels/sessions live)

Suggested Fixes

Option 1: CSP Update

style-src 'self' 'unsafe-inline' https://fonts.googleapis.com/;
font-src https://fonts.gstatic.com/ https://fonts.googleapis.com/;

Option 2: Self-host fonts
Bundle fonts in /assets/fonts/ → No external calls

Option 3: System font fallback

font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif;

Additional Context

  • Gateway accessible: HTTP 200 OK on /
  • WebSocket works: ws://[ip]:18789 connects
  • All 11 Discord/Telegram bots operational
  • Doctor report clean (skills/plugins healthy)

Priority: High - Affects all new deployments
Labels: bug, ui, security

Expected behavior

Fonts load correctly → Clean UI styling → No console errors

Actual behavior

Current CSP Header

Content-Security-Policy: default-src 'self'; base-uri 'none'; object-src 'none'; frame-ancestors 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self'; connect-src 'self' ws: wss:

Blocked Resource

https://fonts.googleapis.com/css2?family=Space+Grotesk:wght@400;500;600;700&family=JetBrains+Mono:wght@400;500&display=swap

Impact

OpenClaw version

  • OpenClaw Version: 2026.2.23 (b817600)

Operating system

  • OS: Linux (container)

Install method

  • Deployment: Docker via Coolify on Hostinger VPS

Logs, screenshots, and evidence



Impact and severity


No response


Additional information


No response
Metadata
Metadata
Assignees
No one assigned
    Labels
    bugSomething isn't workingclose:duplicateClosed as duplicatededupe:childDuplicate issue/PR child in dedupe cluster
    Type
    No type
    Fields
    No fields configured for issues without a type.
    Projects
    No projects
    Milestone
    No milestone
    Relationships
    None yet
    Development
    No branches or pull requests
    Issue actions