prefetch-src
Content-Security-Policy Fetch

Overview

prefetch-src controls the origins of resources preloaded via <link rel="prefetch"> and <link rel="prerender">. When omitted it inherits from default-src. However, standardization stalled, browser support is limited, and it is effectively on a deprecation path.

Details

This directive attempted to bring speculative resource preloading under CSP control. But its spec was in flux and interoperability was poor, so some implementations (e.g., Chrome) removed or never shipped it. Relying on prefetch-src in production policies is not recommended; depending on what is being prefetched, default-src or a related fetch directive often applies instead.

In practice, rather than treating prefetch-src as essential, control preload targets via default-src/connect-src and test per-browser behavior.

Syntax

Content-Security-Policy: prefetch-src 'self' https://cdn.example.com

Notes

Related directives