diff --git a/src/aphront/sink/AphrontHTTPSink.php b/src/aphront/sink/AphrontHTTPSink.php index 60deba78ca..9e43e4a687 100644 --- a/src/aphront/sink/AphrontHTTPSink.php +++ b/src/aphront/sink/AphrontHTTPSink.php @@ -111,6 +111,17 @@ abstract class AphrontHTTPSink extends Phobject { // HTTP headers. $data = $response->getContentIterator(); + // This isn't an exceptionally clean separation of concerns, but we need + // to add CSP headers for all response types (including both web pages + // and dialogs) and can't determine the correct CSP until after we render + // the page (because page elements like Recaptcha may add CSP rules). + $static = CelerityAPI::getStaticResourceResponse(); + foreach ($static->getContentSecurityPolicyURIMap() as $kind => $uris) { + foreach ($uris as $uri) { + $response->addContentSecurityPolicyURI($kind, $uri); + } + } + $all_headers = array_merge( $response->getHeaders(), $response->getCacheHeaders()); diff --git a/src/view/page/PhabricatorStandardPageView.php b/src/view/page/PhabricatorStandardPageView.php index 99143add5f..cfb1b4abbe 100644 --- a/src/view/page/PhabricatorStandardPageView.php +++ b/src/view/page/PhabricatorStandardPageView.php @@ -892,13 +892,6 @@ final class PhabricatorStandardPageView extends PhabricatorBarePageView $response = id(new AphrontWebpageResponse()) ->setContent($content) ->setFrameable($this->getFrameable()); - - $static = CelerityAPI::getStaticResourceResponse(); - foreach ($static->getContentSecurityPolicyURIMap() as $kind => $uris) { - foreach ($uris as $uri) { - $response->addContentSecurityPolicyURI($kind, $uri); - } - } } return $response;