blob: 11af38d5aee092eb45326df9651211c48d74fbaa [file] [log] [blame]
<!DOCTYPE html>
<html>
<head>
<script src="resources/dump-as-text.js"></script>
<script src="resources/wait-until-done.js"></script>
<meta http-equiv="Content-Security-Policy" content="font-src http://127.0.0.1:8000/resources/redirect.py">
<style>
@font-face {
font-family: "Ahem";
src: url("http://127.0.0.1:8000/resources/redirect.py?code=307&url=http%3A//127.0.0.1%3A8000/resources/redirect.py%3Furl=http%3A//localhost%3A8000/resources/Ahem.woff") format("woff");
}
</style>
</head>
<body>
<p>Tests that a cross-origin CSS font loaded via a redirect is blocked by the Content Security Policy. This test PASSED if there is a console warning message.</p>
<p style="font-family: 'Ahem'">.</p> <!-- Intentional period character to force font to load -->
<script>
// Expect the blocked URI to be the requested origin, not the redirect target.
document.addEventListener('securitypolicyviolation', e => {
document.body.innerHTML += `blockedURI = <b>${e.blockedURI}</b><br/><br/>`;
window.testRunner.notifyDone();
});
</script>
</body>
</html>