The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/b5fc5f55067deff21fba79fcb49d6740483ecbf0

commit b5fc5f55067deff21fba79fcb49d6740483ecbf0
Author: Mike West <mkwst@chromium.org>
Date: Tue Jan 16 13:49:00 2018

CSP: Implement 'prefetch-src' behind a flag.

As discussed in https://github.com/w3c/webappsec-csp/issues/107,
'prefetch-src' gives developers the ability to control the endpoints
from which resources may be prefetched.

Bug: 801561
Change-Id: Ifedd78e3101ea66d242c6f3c7a2f49385a681bd1
Reviewed-on: https://chromium-review.googlesource.com/864362
Commit-Queue: Mike West <mkwst@chromium.org>
Reviewed-by: Yoav Weiss <yoav@yoav.ws>
Cr-Commit-Position: refs/heads/master@{#529413}
[add] https://crrev.com/b5fc5f55067deff21fba79fcb49d6740483ecbf0/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/prefetch-src/prefetch-allowed.html
[add] https://crrev.com/b5fc5f55067deff21fba79fcb49d6740483ecbf0/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/prefetch-src/prefetch-blocked.html
[add] https://crrev.com/b5fc5f55067deff21fba79fcb49d6740483ecbf0/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/prefetch-src/prefetch-header-allowed.html
[add] https://crrev.com/b5fc5f55067deff21fba79fcb49d6740483ecbf0/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/prefetch-src/prefetch-header-allowed.html.headers
[add] https://crrev.com/b5fc5f55067deff21fba79fcb49d6740483ecbf0/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/prefetch-src/prefetch-header-blocked.html
[add] https://crrev.com/b5fc5f55067deff21fba79fcb49d6740483ecbf0/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/support/prefetch-helper.js
[add] https://crrev.com/b5fc5f55067deff21fba79fcb49d6740483ecbf0/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/support/prefetch-subresource.css
[add] https://crrev.com/b5fc5f55067deff21fba79fcb49d6740483ecbf0/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/support/prefetch-subresource.css.headers
[modify] https://crrev.com/b5fc5f55067deff21fba79fcb49d6740483ecbf0/third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.cpp
[modify] https://crrev.com/b5fc5f55067deff21fba79fcb49d6740483ecbf0/third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.h
[modify] https://crrev.com/b5fc5f55067deff21fba79fcb49d6740483ecbf0/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp
[modify] https://crrev.com/b5fc5f55067deff21fba79fcb49d6740483ecbf0/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.h

Is there an issue with the current implementation?

At our domain we got some ...

> Refused to prefetch content from '...' because it violates the following Content Security Policy directive: "default-src 'none'". Note that 'prefetch-src' was not explicitly set, so 'default-src' is used as a fallback.

... errors, despite 'prefetch-src' being set by `prefetch-src 'self';`. This directive was explicitly added after seeing these errors in the first place.

Just a minor update to my comment above. After reloading the site via DevTools, I recognized another notice "The Content-Security-Policy directive 'prefetch-src' is implemented behind a flag which is currently disabled."

If I understood it correctly, "prefetch-src" is not yet supported by default, correct? Is there an option under `chrome://flags` to activate it, to see if everything would work fine afterwards?

However, if this is as I assumed, it still confuses me to see some notice on how to fix it (by explicitly setting "prefetch-src"), even if this CSP directive is not yet supported ;)

Chrome 69 on Mac have issue with asking for prefetch-src, and ignoring header.
I don't what to change default-src, but prefetch-src is ignored by default. If it is not used, imo, it shouldn't use it without a flag, so no errors should be thrown. 

It is quite awkward that the 'pretech-src' directive is required, but not recognized unless flag is enabled. 

Is there going to be a fix for this in the near future? Interested in using prefetching.