CSP allows developers to control the set of resources which can be preloaded by specifying a `prefetch-src` directive. The directive has the same format as other fetch directives; developers write an allowlist which defines the set of hosts from which resources can be preloaded. If `prefetch-src` is not specified, `default-src` will apply.
Developers who wish to use CSP as an exfiltration mitigation mechanism need control over resources that don't fall into the type structure of `script-src`, `img-src`, and so on. Prefetch is a hole in Chromium's existing implementation, one which Firefox has semi-patched via their implementation of `default-src`.