In order to block potential data leaks through prefetch requests, it was decided [1] that a `prefetch-src`CSP directive would be added and control such requests, and that prefetch requests would have their own `Request.initiator` and an empty string destination[2]. [1] https://github.com/w3c/webappsec-csp/issues/107 [2] https://github.com/whatwg/fetch/pull/659 Tests: http://w3c-test.org/content-security-policy/prefetch-src/
<rdar://problem/39821187>