prefetch-src

Recommended Values

• 'self' Allows the resource to be loaded and executed

• https://subdomain.domain.com/path Allows the resource to be loaded and executed

Content-Security-Policy: prefetch-src 'self' https://example.com;

Tips & Tricks

• If prefetch-src is not defined, the default-src directive will be used.

• Only the following values are allowed: the scheme-source https:, the host-source https://<subdomain>.<domain>.com/<path> and wildcard *

• This directive is not supported by all browsers

Possible Values

• 'none': No prefetching allowed
• 'self': Only allows prefetching from the same origin
• URLs: Specific domains (e.g., https://trusted-cdn.com)
• Schemes: Protocol schemes (e.g., https:)
• Wildcards: * to allow any source (not recommended)

Example Configurations

Example policy allowing same origin and specific external site

Content-Security-Policy: prefetch-src 'self' https://example.com;

Allowed

<!-- allowed by 'self' -->
<link rel='prefetch' href='/js/my_font.js'>

<!-- allowed as it's from example.com -->
<link rel='prefetch' href='https://example.com/js/script.js'>

Blocked

<!-- blocked as https://malicious.website.com is not in the allowed sources -->
<link rel='prefetch' href='https://malicious.website.com/js/my_font.js'>

Additional Information

• The prefetch-src directive helps prevent unauthorized prefetching of resources
• It's particularly useful when you want to control which external resources can be prefetched
• When not specified, the behavior falls back to default-src
• Browser support may vary, so always check compatibility

Related Resources

External Articles

• MDN Web Docs: Content-Security-Policy
• MDN Web Docs: prefetch-src

Related Documentation Sections

• default-src Directive
• CSP Best Practices