Morten Olsen
Morten Olsen

Reputation: 1866

Preload and CSP in Chrome

I have a site which has some <link rel="preload" href="... tags on a web page, where I also want to add as strict as possible CSP headers and as part of that I want to use default-src 'none'

Currently Chrome supports prefetching, but it only support the CSP directive of prefetch-src behind a feature flag. So I can use the feature but not configure the security around it, so with the current default-src 'none' all prefetch calls are blocked.

The only solution I can find is to change default-src 'none' to default-src 'self', but that will of course lessen security as a lot of unwanted resources could not potentially be loaded.

Has anyone found a solution to this?

Upvotes: 6

Views: 1950

Answers (1)

BreakingBadCode
BreakingBadCode

Reputation: 56

It seems this is a bug with Chromium: https://bugs.chromium.org/p/chromium/issues/detail?id=801561

I am also running into this and it is quite irksome. Seems the only solution is to set default-src 'none' and wait for them to fix the issue. Not ideal...

Upvotes: 4

Related Questions