default-src 'none' CSPOpen DevTools → Network tab before clicking. The three baseline buttons are blocked by CSP and appear in the Network tab. The prerender button fires silently — no violation event, no Network entry — yet the server receives the request.
Expected: baseline buttons each emit a SecurityPolicyViolationEvent (red). The prerender button emits nothing, leaves no Network entry, yet a popup opens showing the request reached the server. That asymmetry is the finding.