CSP: prefetch-src

Deprecated: This feature is no longer recommended. Though some browsers might still support it, it may have already been removed from the relevant web standards, may be in the process of being dropped, or may only be kept for compatibility purposes. Avoid using it, and update existing code if possible; see the compatibility table at the bottom of this page to guide your decision. Be aware that this feature may cease to work at any time.

Non-standard: This feature is non-standard and is not on a standards track. Do not use it on production sites facing the Web: it will not work for every user. There may also be large incompatibilities between implementations and the behavior may change in the future.

The HTTP Content-Security-Policy (CSP) prefetch-src directive specifies valid resources that may be prefetched or prerendered.

CSP version 3
Directive type Fetch directive
default-src fallback Yes. If this directive is absent, the user agent will look for the default-src directive.

Syntax

One or more sources can be allowed for the prefetch-src policy:

http

Content-Security-Policy: prefetch-src <source>;
Content-Security-Policy: prefetch-src <source> <source>;

Sources

<source> can be any one of the values listed in CSP Source Values.

Note that this same set of values can be used in all fetch directives (and a number of other directives).

Example

Prefetch resources do not match header

Given a page with the following Content Security Policy:

http

Content-Security-Policy: prefetch-src https://example.com/

Fetches for the following code will return network errors, as the URLs provided do not match prefetch-src's source list:

html

<link rel="prefetch" href="https://example.org/" />
<link rel="prerender" href="https://example.org/" />

Specifications

No specification found

No specification data found for http.headers.Content-Security-Policy.prefetch-src.
Check for problems with this page or contribute a missing spec_url to mdn/browser-compat-data. Also make sure the specification is included in w3c/browser-specs.

Browser compatibility

BCD tables only load in the browser

See also