| <!DOCTYPE html> |
| <html> |
| <head> |
| <script src="resources/wait-until-done.js"></script> |
| <script src="resources/dump-as-text.js"></script> |
| <meta http-equiv="Content-Security-Policy" content="font-src http://127.0.0.1:8000/resources/redirect.py"> |
| <script> |
| // Expect the blocked URI to be the requested origin, not the redirect target. |
| document.addEventListener('securitypolicyviolation', e => { |
| document.body.innerHTML = `blockedURI = <b>${e.blockedURI}</b><br/><br/>`; |
| window.testRunner.notifyDone(); |
| }); |
| </script> |
| </head> |
| <body> |
| <p>Tests that a SVG font-face element is blocked from loading a cross-origin external SVG font via a redirect by the Content Security Policy. This test PASSED if there is a console warning message.</p> |
| <svg viewBox="0 0 100 100"> |
| <font-face> |
| <font-face-src> |
| <font-face-uri font-family="ABCFont" xlink:href="http://127.0.0.1:8000/resources/redirect.py?code=307&url=http%3A//127.0.0.1%3A8000/resources/redirect.py%3Furl=http%3A//localhost%3A8000/security/contentSecurityPolicy/resources/ABCFont.svg"></font-face-uri> |
| </font-face-src> |
| </font-face> |
| </svg> |
| </body> |
| </html> |