Deprecated: This feature has been deprecated and may be removed in future versions. It is recommended to use alternative approaches.
Non-standard: This feature is not part of any standard specification and may not be supported across all browsers.
prefetch-src
Theprefetch-src
directive specifies valid sources for prefetching and prerendering. This directive helps control which resources can be prefetched or prerendered in advance, improving performance while maintaining security.
Recommended Values
'self' Allows the resource to be loaded and executed
https://subdomain.domain.com/path Allows the resource to be loaded and executed
Recommended prefetch-src configuration
Content-Security-Policy: prefetch-src 'self' https://example.com;
Tips & Tricks
If prefetch-src is not defined, the default-src directive will be used.
Only the following values are allowed: the scheme-source https:, the host-source https://<subdomain>.<domain>.com/<path> and wildcard *
This directive is not supported by all browsers
Possible Values
'none'
: No prefetching allowed'self'
: Only allows prefetching from the same origin- URLs: Specific domains (e.g.,
https://trusted-cdn.com
) - Schemes: Protocol schemes (e.g.,
https:
) - Wildcards:
*
to allow any source (not recommended)
Example Configurations
Example policy allowing same origin and specific external site
Content-Security-Policy: prefetch-src 'self' https://example.com;
Allowed
<!-- allowed by 'self' -->
<link rel='prefetch' href='/js/my_font.js'>
<!-- allowed as it's from example.com -->
<link rel='prefetch' href='https://example.com/js/script.js'>
Blocked
<!-- blocked as https://malicious.website.com is not in the allowed sources -->
<link rel='prefetch' href='https://malicious.website.com/js/my_font.js'>
Additional Information
- The
prefetch-src
directive helps prevent unauthorized prefetching of resources - It's particularly useful when you want to control which external resources can be prefetched
- When not specified, the behavior falls back to
default-src
- Browser support may vary, so always check compatibility