fix(gateway): allow required Google Fonts origins in Control UI CSP

[vincentkoc]

Summary

• Problem: Recent reports showed Control UI regressions tied to Google Fonts CSP blocking in affected builds/configurations.
• Why it matters: External font stylesheet/font requests can be blocked unless CSP explicitly allows the required origins.
• What changed: Added only required Google Fonts origins to CSP (style-src includes https://fonts.googleapis.com, font-src includes https://fonts.gstatic.com).
• What did NOT change (scope boundary): No script policy changes, no new dynamic sources, no changes outside control-ui-csp + its tests.
• Credit: Adopted dedicated test structure from fix(csp): allow Google Fonts in Control UI CSP header #28202 by @Glucksberg.

Change Type (select all)

• Bug fix
• Feature
• Refactor
• Docs
• Security hardening
• Chore/infra

Scope (select all touched areas)

• Gateway / orchestration
• UI / DX

Linked Issue/PR

• Closes [Bug]: Control UI CSP blocks Google Fonts stylesheet - style-src violation breaks UI styling #25985
• Related [Bug]: Dashboard CSP blocks Google Fonts, hamburger menu broken in 2026.2.21-2 #23050
• Related fix(csp): allow Google Fonts in Control UI CSP header #28202

User-visible / Behavior Changes

Control UI CSP now allows the required Google Fonts origins for style/font requests.

Security Impact (required)

• New permissions/capabilities? (No)
• Secrets/tokens handling changed? (No)
• New/changed network calls? (No)
• Command/tool execution surface changed? (No)
• Data access scope changed? (No)
• If any Yes, explain risk + mitigation: N/A

Repro + Verification

Environment

• OS: macOS
• Runtime/container: Node.js
• Model/provider: N/A
• Integration/channel (if any): Control UI
• Relevant config (redacted): N/A

Steps

1. Build buildControlUiCspHeader().
2. Verify output includes style-src ... https://fonts.googleapis.com.
3. Verify output includes font-src ... https://fonts.gstatic.com.
4. Run pnpm vitest run src/gateway/control-ui-csp.test.ts.

Expected

• CSP includes only required Google Fonts origins for style and font directives.

Actual

• Verified by focused unit tests (2 passing tests).

Evidence

• Failing test/log before + passing after
• Trace/log snippets
• Screenshot/recording
• Perf numbers (if relevant)

Human Verification (required)

• Verified scenarios: Ran pnpm vitest run src/gateway/control-ui-csp.test.ts locally after change.
• Edge cases checked: CSP still blocks inline scripts; no extra origins added beyond required style/font domains.
• What you did not verify: Full cross-platform CI matrix (pending in PR).

Compatibility / Migration

• Backward compatible? (Yes)
• Config/env changes? (No)
• Migration needed? (No)
• If yes, exact upgrade steps: N/A

Failure Recovery (if this breaks)

• How to disable/revert this change quickly: Revert this PR.
• Files/config to restore: src/gateway/control-ui-csp.ts, src/gateway/control-ui-csp.test.ts
• Known bad symptoms reviewers should watch for: Browser CSP violations for Google Fonts resources.

Risks and Mitigations

• Risk: Slight CSP broadening for style/font origins.
  • Mitigation: Strict allowlist with only fonts.googleapis.com (style) and fonts.gstatic.com (font).

[greptile-apps]

Greptile Summary

This PR adds Google Fonts origins (https://fonts.googleapis.com and https://fonts.gstatic.com) to the Control UI CSP allowlist, with the stated goal of fixing broken styling and UI regressions.

Critical Issue: The PR is incomplete. While it adds CSP allowlist entries for Google Fonts, the actual Google Fonts import was removed from ui/src/styles/base.css in commit 35e40f1139 (which is in this PR's base). This PR does not re-add the font import, meaning:

• The CSP allows Google Fonts but the UI doesn't try to load them
• The stated goal of "restoring expected typography/styling" won't be achieved
• The comment in the code claiming "Control UI imports Google Fonts stylesheets in base.css" is factually incorrect

To fix: Either (1) add the Google Fonts import back to ui/src/styles/base.css, or (2) if the fonts are no longer needed, remove this CSP change as it serves no purpose.

Confidence Score: 1/5

• This PR has a critical logical flaw that prevents it from achieving its stated goal
• Score reflects that while the changes are safe from a security perspective (they don't introduce vulnerabilities), the PR has a fundamental logical error: it allows Google Fonts in CSP but doesn't actually load them. The PR claims to fix broken styling, but it won't restore any fonts because the import is missing. This makes the PR ineffective and the code comment misleading.
• Both src/gateway/control-ui-csp.ts and ui/src/styles/base.css need attention - the CSP file has an incorrect comment, and base.css is missing the font import needed to make this PR work as intended

_{Last reviewed commit: cca598f}

[greptile-apps]

_{2 files reviewed, 1 comment}

_{Edit Code Review Agent Settings | Greptile}

[Glucksberg]

Hey @vincentkoc, thanks for picking this up.

A few notes for consideration:

1. Prior art: fix(csp): allow Google Fonts in Control UI CSP header #28202 addressed the same issue with an identical code fix and was submitted ~22 hours earlier. It was closed as "superseded" by this PR, but the reasoning isn't clear since the functional change is the same.

2. Test coverage: fix(csp): allow Google Fonts in Control UI CSP header #28202 includes a dedicated test case ("allows Google Fonts for style and font loading") that explicitly validates both CSP origins in isolation, providing better separation of concerns. This PR only adds assertions to the existing test.

3. Code comments: fix(csp): allow Google Fonts in Control UI CSP header #28202's inline comment specifies which fonts are loaded (Space Grotesk, JetBrains Mono), giving future maintainers more context on why these origins exist.

Would it make sense to either reopen #28202 or adopt its test structure here?

[vincentkoc]

Addressed the feedback in follow-up commits:

• Fixed the inline CSP comment in src/gateway/control-ui-csp.ts so it no longer claims ui/src/styles/base.css currently imports Google Fonts.
• Adopted the dedicated Google Fonts assertion structure from fix(csp): allow Google Fonts in Control UI CSP header #28202 in src/gateway/control-ui-csp.test.ts.
• Updated the PR description to credit fix(csp): allow Google Fonts in Control UI CSP header #28202 / @Glucksberg for the test structure.

Force-pushed updated branch: vincentkoc-code/control-ui-csp-google-fonts-safe-25985.

[vincentkoc]

Great progress in this cluster.
The final fix is in #29279 by @vincentkoc.
This is the version we're keeping as the stable canonical path.

If you think there is a gap, tell me and I'll reopen review right away.