content-security-policy

'Preload' is blocked by CSP default-src 'none'


Firefox (tested in version 131 on macOS) is trying to 'preload' the <link rel='next' href='https://example.com/2/'> in the <head> of my website but CSP is blocking this request due to default-src 'none'.

Content-Security-Policy "default-src 'none'; style-src 'report-sample' 'self'; script-src 'report-sample' 'self'; manifest-src 'self'; frame-ancestors 'none'; base-uri 'self'; font-src 'self'; img-src 'self' data: 'self'; form-action 'self' https://www.paypal.com; connect-src 'self'; report-uri https://example.com/report_violation/"

What directive am I missing here? Only adjusting the default-src to 'self' seems to fix the issue. Looking at my CSP reports there seems to be a similar issue with Safari only triggering paginated urls.


Solution

  • There was a prefetch-src directive at one point, but it's deprecated, and as you've found only the default-src directive works here, which is rather frustrating.

    A couple of links where you can read about it: