#Openclaw Theme import from tweakcn blocked by CSP

Bug report from my Openclaw

Bug: tweakcn theme import blocked by Content Security Policy

Version: 2026.5.4

Summary:
The "Import from tweakcn" feature in Appearance settings always fails with a CSP violation. The browser fetch to https://tweakcn.com/r/themes/{id} is blocked because tweakcn.com is not included in the connect-src directive of the Content Security Policy served with the Control UI.

Steps to reproduce:

1. Open Settings → Appearance
2. Paste any valid tweakcn share link (e.g. https://tweakcn.com/themes/{id}) into the import field
3. Click Import

Expected: Theme imports successfully.

Actual: "Failed to fetch" error. Browser console shows:

Connecting to 'https://tweakcn.com/r/themes/{id}' violates the following 
Content Security Policy directive: "connect-src 'self' ws: wss: https://api.openai.com". 
The action has been blocked.

Root cause:
dist/control-ui-DYOFXYcm.js (the server-side CSP builder) sets:

connect-src 'self' ws: wss: https://api.openai.com

https://tweakcn.com is missing. The tweakcn fetch target (/r/themes/{id}) is fully CORS-enabled on their end — the omission is on the OpenClaw side only.

Fix:
Add https://tweakcn.com to the connect-src directive:

connect-src 'self' ws: wss: https://api.openai.com https://tweakcn.com

Workaround (until patched): Edit the CSP line in dist/control-ui-DYOFXYcm.js manually, then restart the gateway. Note this is overwritten by openclaw update.

You can drop that in the Discord (discord.com/invite/clawd) or wherever they take bug reports. Pretty airtight since we've got the exact file, line, and fix already confirmed working.