CentralCSP

prefetch-src

prefetch-src

prefetch-src

The prefetch-src directive specifies valid sources for prefetching.

Recommended Values

  • https://subdomain.domain.com

    Allows scripts from a specific external site

    Allows scripts from a specific external site

Explore detailed value definitions

Tips & Tricks

  • If prefetch-src is not defined, the default-src directive will be used.

  • Only the following values are allowed: the scheme-source https:, the host-source https://<subdomain>.<domain>.com/<path> and wildcard *

  • This directive is not supported by all browsers

Examples

  • Allows scripts from the same origin and a specific external site

    Content-Security-Policy: prefetch-src 'self' https://example.com;

    Allowed

    <!-- allowed by 'self' -->
<link rel='prefetch' href='/js/my_font.js'>

    Blocked

    <!-- blocked as https://malicious.website.com is not in the allowed sources -->
<link rel='prefetch' href='https://malicious.website.com/js/my_font.js'>

Frequently Asked Questions

What is the prefetch-src directive used for?

The prefetch-src directive controls which sources can be used for resource prefetching operations like <link rel='prefetch'>. This helps prevent malicious prefetching that could be used for data exfiltration or to probe internal networks.

Browser Support

Not all browsers support this directive. If not specified, prefetch requests will fall back to using default-src.

What are valid values for prefetch-src?

The prefetch-src directive accepts standard CSP source values like 'self', specific domains (https://example.com), and wildcards (*). However, it's recommended to be specific about allowed prefetch sources rather than using broad wildcards.

Security Note

Be cautious with wildcards and only allow prefetching from trusted domains to prevent potential security issues.

How does prefetch-src relate to other fetch directives?

If prefetch-src is not specified, the browser will fall back to using default-src for prefetch requests. This directive specifically controls prefetching behavior separate from other resource loading directives like script-src or style-src.

Fall back Behavior

When prefetch-src is not defined, prefetch requests will be governed by the default-src directive.

Need to monitor CSP violations and maintain it easily?

Set up a reporting endpoint to monitor Content Security Policy violations in real-time to build and maintain your CSP easily.

Set up your endpoint now

Learn more about other topics

Docs

CSP ScannerCSP EvaluatorReporting Endpoint

Certification

PCI DSS SAQ AISO 27001Penetration Test Report

Legal Terms

Terms of UsePrivacy policy

Contact

contact@cspcentral.com

CentralSaaS © 2025