Chrome Version: 
OS: (e.g. Win7, OSX 10.9.5, etc...)

What steps will reproduce the problem?
(1)  Go to https://capmetro.org/

$ curl -s -D - -o /dev/null 'https://capmetro.org/'
HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/8.0
X-AspNet-Version: 4.0.30319
Set-Cookie: EktGUID=4276ab10-c660-4045-a204-bedb61c77c33; expires=Wed, 31-Oct-2018 06:44:07 GMT; path=/; HttpOnly
Set-Cookie: EkAnalytics=0; expires=Wed, 31-Oct-2018 06:44:07 GMT; path=/; HttpOnly
Set-Cookie: ASP.NET_SessionId=gtc20gc0uippub0nijgy1qva; path=/; HttpOnly
Set-Cookie: ecm=user_id=0&isMembershipUser=0&site_id=&username=&new_site=/&unique_id=0&site_preview=0&langvalue=0&DefaultLanguage=1033&NavLanguage=1033&LastValidLanguageID=1033&DefaultCurrency=840&SiteCurrency=840&ContType=&UserCulture=1033&dm=capmetro.org&SiteLanguage=1033; path=/; secure; HttpOnly
X-Powered-By: ASP.NET
Access-Control-Allow-Origin: *
X-Content-Type-Options: nosniff
X-XSS-Protection: 1;mode=block
Content-Security-Policy: default-src �self�;
Date: Tue, 31 Oct 2017 06:44:08 GMT
Set-Cookie: citrix_ns_id=NQcsdJAKnsEecOTeup1B8X5vTpcA000; Domain=.capmetro.org; Path=/; HttpOnly
X-Expires-Orig: None
X-Cache-Control-Orig: private
Cache-Control: max-age=0, must-revalidate, private
Transfer-Encoding: chunked


What is the expected result?

to have the token being ignored.

What happens instead?

Chrome devtools displays:

The value for Content Security Policy directive 'default-src' contains an invalid character: '‘self’'. Non-whitespace characters outside ASCII 0x21-0x7E must be percent-encoded, as described in RFC 3986, section 2.1: http://tools.ietf.org/html/rfc3986#section-2.1

But still make the CSS/scripts working, probably ignoring the full directive.


Currently it fails in Firefox 
(This is a spin off of https://webcompat.com/issues/12939 )