Deprecated: This feature has been deprecated and may be removed in future versions. It is recommended to use alternative approaches.

Non-standard: This feature is not part of any standard specification and may not be supported across all browsers.

prefetch-src

The prefetch-src directive specifies valid sources for prefetching and prerendering. This directive helps control which resources can be prefetched or prerendered in advance, improving performance while maintaining security.

Recommended Values

  • 'self' Allows the resource to be loaded and executed

  • https://subdomain.domain.com/path Allows the resource to be loaded and executed

Recommended prefetch-src configuration

Content-Security-Policy: prefetch-src 'self' https://example.com;

Tips & Tricks

  • If prefetch-src is not defined, the default-src directive will be used.

  • Only the following values are allowed: the scheme-source https:, the host-source https://<subdomain>.<domain>.com/<path> and wildcard *

  • This directive is not supported by all browsers

Possible Values

  • 'none': No prefetching allowed
  • 'self': Only allows prefetching from the same origin
  • URLs: Specific domains (e.g., https://trusted-cdn.com)
  • Schemes: Protocol schemes (e.g., https:)
  • Wildcards: * to allow any source (not recommended)

Example Configurations

Example policy allowing same origin and specific external site

Content-Security-Policy: prefetch-src 'self' https://example.com;

Allowed

<!-- allowed by 'self' -->
<link rel='prefetch' href='/js/my_font.js'>

<!-- allowed as it's from example.com -->
<link rel='prefetch' href='https://example.com/js/script.js'>

Blocked

<!-- blocked as https://malicious.website.com is not in the allowed sources -->
<link rel='prefetch' href='https://malicious.website.com/js/my_font.js'>

Additional Information

  • The prefetch-src directive helps prevent unauthorized prefetching of resources
  • It's particularly useful when you want to control which external resources can be prefetched
  • When not specified, the behavior falls back to default-src
  • Browser support may vary, so always check compatibility

Related Resources

External Articles

Related Documentation Sections