As part of the effort to make prefetch interoperable, we have recently changed the CSP spec, where there is no more prefetch-src. Instead, prefetch uses the "least restrictive directive" - any directive can allow CSP and by default it goes to default-src.
This allows using default-src to prevent exfiltration, while not introducing new hoops devs have to jump through to enable prefetching - if you enable any fetch for a URL, you can also prefetch it.
The intent is to:
- Remove the prefetch-src code
- Introduce the new behavior behind a flag, and go through the I2S process with it later on.
Some notes about this:
- Apple has recently implemented prefetch-src support in WebKit. However, this support is purely hypothetical because they don't support prefetching yet. We spoke with them and they are aligned with this change.
- prefetch-src was never officially shipped, however the runtime flag protection was removed by mistake in 2021, so it silently shipped. The consequence of removing it would be that some prefetches that were disallowed by prefetch-src (there is some minor usage of prefetch-src in the wild even though it was never shipped), would now be allowed until the new flag is enabled (the previous "official" behavior was that prefetches are not CSP-protected).
We can alternatively add a deprecation flag for prefetch-src and keep both code-paths, but I wonder if that's worth the hassle since, as mentioned before, it was never officially shipped and its removal would have only minor effects that are not "breaking".
Link to prefetch-src: https://chromestatus.com/feature/4607623783514112