Reputation: 1866
I have a site which has some <link rel="preload" href="...
tags on a web page, where I also want to add as strict as possible CSP headers and as part of that I want to use default-src 'none'
Currently Chrome supports prefetching, but it only support the CSP directive of prefetch-src
behind a feature flag.
So I can use the feature but not configure the security around it, so with the current default-src 'none'
all prefetch calls are blocked.
The only solution I can find is to change default-src 'none'
to default-src 'self'
, but that will of course lessen security as a lot of unwanted resources could not potentially be loaded.
Has anyone found a solution to this?
Upvotes: 6
Views: 1950
Reputation: 56
It seems this is a bug with Chromium: https://bugs.chromium.org/p/chromium/issues/detail?id=801561
I am also running into this and it is quite irksome. Seems the only solution is to set default-src 'none'
and wait for them to fix the issue. Not ideal...
Upvotes: 4