A replacement for the `prefetch-src` directive, which never got traction. Instead of relying on a bespoke CSP directive, <link rel=prefetch> (and later preconnect/dns-prefetch) would be allowed if *any* directive in the policy would allow fetching this URL for any reason. This is because prefetching/preconnecting does not actually do anything with the resource, but only fetches it for a later reason. This allows developer to use resource hints without needing to tweak their content security policy, while giving a tool to prevent exfiltration by having default-src block prefetches. For example: default-src * default-src 'none' script-src * would allow prefetch While default-src 'none' would not.