# Bad value “”Content-Security-Policy”” for attribute “http-equiv” on element “meta”.

> Canonical HTML version: https://rocketvalidator.com/html-validation/bad-value-content-security-policy-for-attribute-http-equiv-on-element-meta
> Attribution: Rocket Validator (https://rocketvalidator.com)
> License: CC BY 4.0 (https://creativecommons.org/licenses/by/4.0/)

The `http-equiv` attribute accepts a specific set of predefined values, and the validator checks both the value itself and its formatting. When the validator reports a bad value of `""Content-Security-Policy""` (note the doubled quotes), it means the actual attribute value being parsed includes literal quotation mark characters as part of the string. The browser sees the first `"` as opening the attribute, then immediately sees the second `"` as closing it — resulting in a malformed tag that won't work as intended.

This matters for several reasons. `Content-Security-Policy` delivered via a `<meta>` tag is a critical security mechanism that restricts which resources your page can load. If the tag is malformed, the browser will silently ignore the policy, leaving your site without the CSP protections you intended. There's no visual indication that the policy failed to apply, making this a particularly dangerous bug.

Common causes of this issue include:

- **Copying code from a word processor or CMS** that converts straight quotes (`"`) into curly/smart quotes (`"` and `"`).
- **Double-escaping in templates** where a templating engine adds quotes around a value that already has quotes in the markup.
- **Manual typos** where quotes are accidentally duplicated.

To fix this, open your HTML source in a plain-text editor (not a word processor) and ensure the `http-equiv` value is wrapped in exactly one pair of standard straight double quotes with no extra quote characters inside.

## Examples

### Incorrect — doubled quotes around the value

```html
<meta http-equiv=""Content-Security-Policy"" content="default-src 'self';">
```

The validator interprets this as an `http-equiv` attribute with an empty value (`""`), followed by unrecognized content (`Content-Security-Policy""`), producing the error.

### Incorrect — curly/smart quotes

```html
<meta http-equiv="Content-Security-Policy" content="default-src 'self';">
```

Smart quotes (`"` and `"`) are not valid attribute delimiters in HTML. They become part of the attribute value itself, causing the validator to reject it.

### Incorrect — HTML entity quotes inside the attribute

```html
<meta http-equiv="&quot;Content-Security-Policy&quot;" content="default-src 'self';">
```

Using `&quot;` inside the attribute value embeds literal quote characters into the value string, which makes it invalid.

### Correct — single pair of straight double quotes

```html
<meta http-equiv="Content-Security-Policy" content="default-src 'self';">
```

### Correct — full document example

```html
<!DOCTYPE html>
<html lang="en">
<head>
  <meta charset="UTF-8">
  <meta name="viewport" content="width=device-width, initial-scale=1.0">
  <meta http-equiv="Content-Security-Policy" content="default-src 'self'; img-src https:; script-src 'self';">
  <title>CSP Example</title>
</head>
<body>
  <h1>Hello, World!</h1>
</body>
</html>
```

The `http-equiv` value `Content-Security-Policy` must be spelled exactly as shown — it is case-insensitive per the HTML spec, but using the canonical casing is recommended for clarity. The actual policy directives go in the `content` attribute, not in `http-equiv`. If you're using a templating engine or CMS, check the generated HTML source (via "View Page Source" in your browser) to confirm the output contains clean, straight quotes with no doubling.