Description

The Control UI attempts to load Google Fonts but the Content Security Policy blocks the stylesheet:

Loading the stylesheet 'https://fonts.googleapis.com/css2?family=Space+Grotesk:wght@400;500;600;700&family=JetBrains+Mono:wght@400;500&display=swap' violates the following Content Security Policy directive: "style-src 'self' 'unsafe-inline'". Note that 'style-src-elem' was not explicitly set, so 'style-src' is used as a fallback.

Expected Behavior

The Google Fonts stylesheet should load without CSP violations.

Suggested Fix

Add fonts.googleapis.com to the style-src CSP directive:

style-src 'self' 'unsafe-inline' fonts.googleapis.com;

You may also need to add fonts.gstatic.com to font-src for the actual font files:

font-src 'self' fonts.gstatic.com;

Environment

• OpenClaw version: ghcr.io/openclaw/openclaw:main (pulled 2026-02-26, digest: sha256:fed802db4c11c4fe2dd360d535e1859c8fac877dec1a4150d32dde2f62023d33)
• Access: via Tailscale Funnel (port 8443)