You're adding an option to URLLoaderFactory::CreateLoaderAndStart(), which is the API the renderer uses to load resources, so just adding the API directly will give renderers that capability. I think a setting would have to be added to URLLoaderFactories to allow the new behavior (or just reuse the is_trusted bit to allow the new option - and ideally put it in ResourceRequest::TrustedParams, which will automatically make it so untrusted URLLoaderFactories don't have access). I don't know if the URLLoaderFactories used by prefetch are already considered trusted, if not, have to change that, too.