Turns out the problem was *not* the woff files at all - it was the CSS file that used the font. Solution was:

set ^%SYS("CSP","MimeFileClassify","CSS")=$lb("text/css",0,"utf-8")

Yes. Here's a quick sample:

Class DC.Demo.SerialObject Extends %SerialObject
{

Property foo As %String;

Property bar As %String;

}

Class DC.Demo.IndexOnSerialObject Extends %Persistent
{

Property blah As DC.Demo.SerialObject;

Index blahFooBar On (blah.foo, blah.bar);

ClassMethod RunDemo()
{
    Do ..%KillExtent()
    Set inst = ..%New()
    Set inst.blah.foo = "foo"
    Set inst.blah.bar = "bar"
    Do inst.%Save()
    zw ^DC.Demo.IndexOnSerialObjectD,^DC.Demo.IndexOnSerialObjectI
}

}

Which produces output:

d ##class(DC.Demo.IndexOnSerialObject).RunDemo()
^DC.Demo.IndexOnSerialObjectD=1
^DC.Demo.IndexOnSerialObjectD(1)=$lb("",$lb("foo","bar"))
^DC.Demo.IndexOnSerialObjectI("blahFooBar"," FOO"," BAR",1)=""

Simple solution:
Create a class extending %CSP.Page with:

ClassMethod OnPreHTTP() As %Boolean
{
    Set %response.Status = ##class(%CSP.REST).#HTTP403FORBIDDEN
    Quit 0
}

From the %CSP.SessionEvents subclass, in OnStartRequest:

set %response.ServerSideRedirect = "<that classname>.cls"

@Michael Davidovich it might be helpful to look under the hood - specifically, at the class generated for the CSP page ("View Other" in Studio/VSCode).

OnPreHTTP is special in that it runs before the page is rendered (and can e.g. redirect you somewhere else). Generally, I would put code that runs on form submit / POST in OnPreHTTP.

Where you just have <script language="Cache" runat="server">, that'll run as the page is rendered whenever it gets to that block. This would generally be used to render more complex content for which other tag-based CSP options are in sufficient. If you're familiar with PHP, this is equivalent to the <?php ... ?> block in:

<html>
 <head>
  <title>PHP Test</title>
 </head>
 <body>
 <?php echo '<p>Hello World</p>'; ?> 
 </body>
</html>

<script language="Cache" method="SomeMethod"> would be used in hyperevents (i.e., #server(..SomeMethod())# and #call(..SomeMethod())#).

From a coding/design best practices perspective: you should be able to do input validation on the client to provide a friendly error message without needing to go back to the server (e.g., via #server). BUT you should also do validation on the server to make sure that even if the user (maliciously or otherwise) bypasses the client-side validation, they can't submit invalid data.

It looks like there might be an issue with the service you're trying to use - at https://apisidra.ibge.gov.br/ , pasting in "/t/1612/n2/all/v/all/p/last/c81/2702/f/u" as "Parâmetros/valores da API:" then clicking "Consultar" I get an alert saying "A solicitação de conexão com pools sofreu timeout".

I also see this from ObjectScript with Server set to apisidra.ibge.gov.br instead of api.sidra.ibge.gov.br