I have a site which has some <link rel="preload" href="... tags on a web page, where I also want to add as strict as possible CSP headers and as part of that I want to use default-src 'none'
Currently Chrome supports prefetching, but it only support the CSP directive of prefetch-src behind a feature flag.
So I can use the feature but not configure the security around it, so with the current default-src 'none' all prefetch calls are blocked.
The only solution I can find is to change default-src 'none' to default-src 'self', but that will of course lessen security as a lot of unwanted resources could not potentially be loaded.
Has anyone found a solution to this?
It seems this is a bug with Chromium: https://bugs.chromium.org/p/chromium/issues/detail?id=801561
I am also running into this and it is quite irksome. Seems the only solution is to set default-src 'none' and wait for them to fix the issue. Not ideal...