Content-Security-Policy: prefetch-src directive
Deprecated: This feature is no longer recommended. Though some browsers might still support it, it may have already been removed from the relevant web standards, may be in the process of being dropped, or may only be kept for compatibility purposes. Avoid using it, and update existing code if possible; see the compatibility table at the bottom of this page to guide your decision. Be aware that this feature may cease to work at any time.
Non-standard: This feature is not standardized. We do not recommend using non-standard features in production, as they have limited browser support, and may change or be removed. However, they can be a suitable alternative in specific cases where no standard option exists.
The HTTP Content-Security-Policy (CSP)
prefetch-src directive specifies valid resources that may
be prefetched or prerendered.
| CSP version | 3 |
|---|---|
| Directive type | Fetch directive |
default-src fallback |
Yes. If this directive is absent, the user agent will look for the
default-src directive.
|
Syntax
Content-Security-Policy: prefetch-src 'none';
Content-Security-Policy: prefetch-src <source-expression-list>;
This directive may have one of the following values:
'none'-
No resources of this type may be loaded. The single quotes are mandatory.
<source-expression-list>-
A space-separated list of source expression values. Resources of this type may be loaded if they match any of the given source expressions. For this directive, the following source expression values are applicable:
Example
Prefetch resources do not match header
Given a page with the following Content Security Policy:
Content-Security-Policy: prefetch-src https://example.com/
Fetches for the following code will return network errors, as the URLs provided do not
match prefetch-src's source list:
<link rel="prefetch" href="https://example.org/" />
<link rel="prerender" href="https://example.org/" />
Specifications
No specification found
No specification data found for http.headers.Content-Security-Policy.prefetch-src.
Check for problems with this page or contribute a missing spec_url to mdn/browser-compat-data. Also make sure the specification is included in w3c/browser-specs.