#Possible Bug - Webchat mic button broken due to CSP blocking eval

Version: v2026.4.11

Bug identified by my Open Claw

Summary:The microphone button in the webchat Control UI flickers and immediately stops when clicked, with no audio recorded and no error shown in the browser console.

Root Cause (diagnosed):The gateway serves a Content-Security-Policy header with script-src 'self' — no 'unsafe-eval'. The browser's Issues panel shows:
"Content Security Policy of your site blocks the use of 'eval' in JavaScript" — script-src directive: blockedThe mic button's audio/speech processing requires eval() or new Function(), which is silently killed by the CSP before any recording begins.

The CSP is hardcoded in control-ui-BKlfXfAt.js → buildControlUiCspHeader() with no config override available.

Expected: Mic button records audio and sends it for transcription (backend is correctly configured with tools.media.audio using gpt-4o-mini-transcribe).

Actual: Button flickers, stops immediately, nothing reaches the gateway.

Fix: Add 'unsafe-eval' to the script-src directive in buildControlUiCspHeader(), or expose a config option to allow it.

Environment: Chrome, localhost:18789 (HTTP), Windows 11 / WSL2 Docker deployment.

I checked the shipped v2026.4.11 code, and I think the CSP diagnosis is probably not the real blocker.

What I found:

• buildControlUiCspHeader() is indeed hardcoded to script-src 'self'
• but the mic button in the bundled Control UI is using browser SpeechRecognition / webkitSpeechRecognition, not backend STT and not eval/new Function
• the gateway also sets:

Permissions-Policy: camera=(), microphone=(), geolocation=()

That denies microphone access entirely, which matches the “brief flicker, then stop” behavior much more closely.

So:

• adding 'unsafe-eval' would weaken CSP
• and it likely would not fix the mic button anyway