Reputation: 1866
Preload and CSP in Chrome
I have a site which has some <link rel="preload" href="... tags on a web page, where I also want to add as strict as possible CSP headers and as part of that I want to use default-src 'none'
Currently Chrome supports prefetching, but it only support the CSP directive of prefetch-src behind a feature flag.
So I can use the feature but not configure the security around it, so with the current default-src 'none' all prefetch calls are blocked.
The only solution I can find is to change default-src 'none' to default-src 'self', but that will of course lessen security as a lot of unwanted resources could not potentially be loaded.
Has anyone found a solution to this?
Upvotes: 6
Views: 1950
Answers (1)
Reputation: 56
It seems this is a bug with Chromium: https://bugs.chromium.org/p/chromium/issues/detail?id=801561
I am also running into this and it is quite irksome. Seems the only solution is to set default-src 'none' and wait for them to fix the issue. Not ideal...
Upvotes: 4
Related Questions
- How to disable Pre-loading of pages or Prefetch in Google Chrome?
- Chrome not reporting CSP violations
- How to validate if Chrome is preloading resources hinted in a 103 response?
- Safari seems to not support CSP nonces on link tags being used to preload JS
- Why doesn't Chrome respect my Content Security Policy hashes?
- CSS preloading doesn't work except on Google Chrome
- Preloading content via rel=preload returns "headers do not match"
- "cookie conflict" in Google Chrome Prerender
- Detect Google Chrome page prefetch
- Chrome v. 39 and Content-Security-Policy HTTP header