security(ui): remove remote mintcdn asset reference#6166
security(ui): remove remote mintcdn asset reference#6166unisone wants to merge 1 commit intoopenclaw:mainfrom
Conversation
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 99d394f312
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| <div class="brand"> | ||
| <div class="brand-logo"> | ||
| <img src="https://mintcdn.com/clawhub/4rYvG-uuZrMK_URE/assets/pixel-lobster.svg?fit=max&auto=format&n=4rYvG-uuZrMK_URE&q=85&s=da2032e9eac3b5d9bfe7eb96ca6a8a26" alt="OpenClaw" /> | ||
| <img src="/favicon.svg" alt="OpenClaw" /> |
There was a problem hiding this comment.
The new logo source is an absolute path (/favicon.svg), which ignores the Control UI base path. The UI is built with base: "./" (ui/vite.config.ts) and the gateway supports non-root base paths (e.g., /ui), so when the Control UI is served from a subpath or opened from dist/control-ui/index.html, the browser will request the favicon from the domain root instead of the Control UI base. Previously the remote URL worked in those deployments; now the logo will 404 in any non-root base-path setup.
Useful? React with 👍 / 👎.
|
Links: fixes #5170 |
|
Hi @unisone! 👋 I just submitted #6161 which addresses the same issue but uses the proper brand logo instead of the favicon. Key difference:
The pixel-lobster logo matches OpenClaw's retro/pixel art brand identity, whereas the favicon is meant for browser tabs. My PR:
Both solutions work technically - just wanted to point out the brand consistency aspect! Let the maintainers decide which they prefer. 🦞 |
|
Good catch on base-path behavior. This PR switched to /favicon.svg, but that ignores the Control UI base path and can 404 when served under a subpath. PR #6161 appears to supersede this with a bundled local asset and a base-aware relative reference (src="pixel-lobster.svg"). To reduce maintainer churn/duplication, I'm going to close this PR in favor of #6161. Happy to help review/test #6161. |
|
Closing in favor of #6161 (bundled local asset + base-aware path) to avoid duplication. |
2 participants
Summary
Removes the remote mintcdn.com SVG dependency from the Control UI brand logo and uses the existing local /favicon.svg instead.
Why
Avoids an external supply-chain dependency in the UI and addresses the concern raised in #5170.
Testing
Notes
Greptile Overview
Greptile Summary
This PR removes an externally-hosted mintcdn.com SVG reference for the Control UI brand logo and replaces it with a local asset (
/favicon.svg), reducing supply-chain/external dependency exposure. The change is localized toui/src/ui/app-render.tswithin the topbar brand logo render path and should not affect broader UI logic beyond the image source used.Confidence Score: 5/5
/favicon.svg, with no impact on application logic, state, or security model beyond reducing external dependency surface.(2/5) Greptile learns from your feedback when you react with thumbs up/down!