‘Sec-Purpose: prefetch’ HTTP request header

Chrome has set non-standardized ‘Purpose: prefetch’ header for the link-rel prefetch requests. But this is not aligned with the Fetch spec especially in the case to make a CORS request. From Chrome 75, we will change it to ‘Sec-Purpose: prefetch’, and forbids JavaScript to set or modify it via exposed APIs such as XHR and Fetch.

Chrome is enabling OOR-CORS by default. This will bring more strict CORS implementation. However, non-standardized ‘Purpose’ header results in making a CORS preflight request for cross origin prefetches. This is undesirable, and we need to make the header aligned with the CORS protocol. ‘Sec-’ prefix is reserved for user-agents specific use like this. So, we decided to use ‘Sec-Purpose’.



Working draft or equivalent

Status in Chromium


Proposed (tracking bug)

Consensus & Standardization

After a feature ships in Chrome, the values listed here are not guaranteed to be up to date.

  • No public signals
  • No public signals
  • No public signals
  • No signals


Last updated on 2019-03-19