http-equiv attribute
{{HTMLSidebar}}
The http-equiv attribute of the {{htmlelement("meta")}} element allows you to provide processing instructions for the browser as if the response that returned the document included certain HTTP headers.
The metadata is document-level metadata that applies to the whole page.
When a <meta> element has an http-equiv attribute, a content attribute defines the corresponding http-equiv value.
For example, the following <meta> tag tells the browser to refresh the page after 5 minutes:
<meta http-equiv="Refresh" content="300" />
Value
Only a subset of the HTTP headers are supported as http-equiv values.
These include:
-
content-language{{deprecated_inline}}- : Sets a default language for the document used by assistive technologies or styling by the browser.
Similar to the
{{httpheader("Content-Language")}}HTTP header. Use thelangattribute instead.
- : Sets a default language for the document used by assistive technologies or styling by the browser.
Similar to the
-
content-type- : Declares the document’s media type (MIME type) and character encoding.
The
contentattribute must be"text/html; charset=utf-8"if specified. This is equivalent to a<meta>element with thecharsetattribute specified and carries the same restriction on placement within the document. Can only be used in documents served with atext/htmlmedia type — not in documents served with an XML (application/xmlorapplication/xhtml+xml) type. See the{{httpheader("Content-Type")}}HTTP header.
- : Declares the document’s media type (MIME type) and character encoding.
The
-
content-security-policy- : Allows page authors to define a content security policy (CSP) for the current page, typically to specify allowed origins and script endpoints to guard against cross-site scripting attacks.
See the
{{httpheader("Content-Security-Policy")}}HTTP header.
- : Allows page authors to define a content security policy (CSP) for the current page, typically to specify allowed origins and script endpoints to guard against cross-site scripting attacks.
See the
-
default-style- : Sets the name of the default CSS style sheet set.
-
refresh-
: Equivalent to the
{{httpheader("Refresh")}}HTTP header. This instruction specifies:- The number of seconds until the page should be reloaded if the
contentattribute is a non-negative integer. - The number of seconds until the page should redirect to another URL if the
contentattribute is a non-negative integer followed by;url=and a valid URL.
The timer starts when the page is completely loaded, which is after the
{{domxref("Window/load_event", "load")}}and{{domxref("Window/pageshow_event", "pageshow")}}events have both fired. See Accessibility concerns for more information. - The number of seconds until the page should be reloaded if the
-
-
set-cookie{{deprecated_inline}}- : Sets a cookie for the document.
Browsers now ignore this pragma; use the
{{httpheader("Set-Cookie")}}HTTP response header ordocument.cookieinstead.
- : Sets a cookie for the document.
Browsers now ignore this pragma; use the
-
x-ua-compatible{{deprecated_inline}}- : Used by legacy versions of the now-retired
{{glossary("Microsoft Internet Explorer")}}so that it more closely followed specified behavior. If specified, thecontentattribute must have the value"IE=edge". User agents now ignore this pragma. The name derives from theX-UA-CompatibleHTTP header.
- : Used by legacy versions of the now-retired
[!WARNING] Some browsers process additional headers that are not listed above. Since unrecognized headers or invalid values are ignored, this can lead to inconsistent behavior across browser implementations. In particular, Do not set other security headers using
<meta http-equiv=, as this can lead to a false sense of security!
Accessibility concerns
Pages set with a http-equiv="Refresh" value run the risk of having the refresh interval being too short.
People navigating with the aid of assistive technology such as a screen reader may be unable to read through and understand the page’s content before being automatically redirected.
Abrupt, unannounced page updates may also be disorienting for people experiencing low vision conditions.
- MDN Understanding WCAG, Guideline 2.2 explanations
- MDN Understanding WCAG, Guideline 3.2 explanations
- Understanding Success Criterion 2.2.1 | W3C Understanding WCAG 2.0
- Understanding Success Criterion 2.2.4 | W3C Understanding WCAG 2.0
- Understanding Success Criterion 3.2.5 | W3C Understanding WCAG 2.0
Examples
Disable unsafe inline code and only allow HTTPS resources
This HTML <meta> element sets the default CSP to only allow resource loading (images, fonts, scripts, etc.) over HTTPS.
Because the unsafe-inline and unsafe-eval directives are not set, inline scripts will be blocked:
<meta http-equiv="Content-Security-Policy" content="default-src https:" />
The same restrictions can be applied using the HTTP {{httpheader("Content-Security-Policy")}} header:
Content-Security-Policy: default-src https:
Setting a page redirect
The following example uses http-equiv="refresh" to direct the browser to perform a redirect.
The content="3;url=https://www.mozilla.org" attribute will redirect page to https://www.mozilla.org after 3 seconds:
<meta http-equiv="refresh" content="3;url=https://www.mozilla.org" />
Specifications
{{Specifications}}
Browser compatibility
{{Compat}}