The PR (#582) which removed the prefetch-src directive did so in part because @noamr reasoned that:

The only security measure valid for prefetch/preconnect is to avoid exfiltration - i.e. block the request when the default directive blocks this URL and no other directive allows it.

While this is true devoid of a service worker, a service worker can block requests that hit the fetch event and naturally a prefetch request does not hit the fetch event as it contains no actual content for the service worker to process & cache; thus prefetch events could evade a service worker-based block of specific origins in order to exfiltrate data.

Furthermore it seems the issue (#542) which led to the above PR stated that

• prefetch-src would still be valid, as a way to relax restrictions only for resource hints

This part of the issue seemingly got lost while translating the issue into a proper specification based on the above logic which does not hold in the case of using the CSP in consort with a service worker to prevent data exfiltration.

I am attempting to prevent exfiltration of information by coupling service workers with a CSP. By using a service worker to control exfiltration I am able to be much more flexible and dynamic with allowing information flow, even allowing that decision to be made at runtime per-request by the users of the site. Unfortunately, prefetch requests do not hit the fetch event in the service worker and so presently there is no way to intercept this specific class of requests; meanwhile all other requests which CSP covers -- save for frame requests -- are intercepted by the service worker. Exfiltration through prefetch is indeed possible, see #582 (comment) and thus ideally there would be some way to specifically prevent all prefetch requests to avoid any data leakage while still allowing most requests to be filtered and blocked by the service worker.

Therefore, as per @noamr's original proposal in his issue, I propose that the prefetch-src directive should apply to all prefetch requests if specified and fall back to the "least restrictive" directive if prefetch-src is unspecified. I know that all the other directives use default-src as a fallback, making prefetch-src unique. That said the treatment of prefetch requests is already unique as per #582, so it seems exceptions for prefetch are not out of the question. Furthermore it seems that this was @noamr's original proposed solution which then got removed throughout the process of turning it into a proper PR based on justification that does not hold for using a CSP in consort with a service worker.