CSP allows developers to control the set of resources which can be preloaded by specifying a `prefetch-src` directive. The directive has the same format as other fetch directives; developers write an allowlist which defines the set of hosts from which resources can be preloaded. If `prefetch-src` is not specified, `default-src` will apply.

Motivation

Developers who wish to use CSP as an exfiltration mitigation mechanism need control over resources that don't fall into the type structure of `script-src`, `img-src`, and so on. Prefetch is a hole in Chromium's existing implementation, one which Firefox has semi-patched via their implementation of `default-src`.

Specification

Editor's draft

Status in Chromium

Blink>SecurityFeature>ContentSecurityPolicy


In developer trial (Behind a flag) (tracking bug) in:

  • Chrome for desktop release 65
  • Chrome for Android release 65

Consensus & Standardization

After a feature ships in Chrome, the values listed here are not guaranteed to be up to date.

  • No signal
  • No signal
  • No signal
  • Positive

Owner

Last updated on 2021-03-08