diff --git a/resources/celerity/map.php b/resources/celerity/map.php
--- a/resources/celerity/map.php
+++ b/resources/celerity/map.php
@@ -8,10 +8,10 @@
 return array(
   'names' => array(
     'core.pkg.css' => '66ada2ec',
-    'core.pkg.js' => '8cd3cd8c',
+    'core.pkg.js' => '4c28870b',
     'darkconsole.pkg.js' => 'df001cab',
     'differential.pkg.css' => '4a93db37',
-    'differential.pkg.js' => '79503aa4',
+    'differential.pkg.js' => 'eb182ccd',
     'diffusion.pkg.css' => '591664fa',
     'diffusion.pkg.js' => 'bfc0737b',
     'maniphest.pkg.css' => 'f5d89daf',
@@ -440,7 +440,7 @@
     'rsrc/js/application/uiexample/gesture-example.js' => '558829c2',
     'rsrc/js/application/uiexample/notification-example.js' => '7a9677fc',
     'rsrc/js/core/Busy.js' => '6453c869',
-    'rsrc/js/core/DragAndDropFileUpload.js' => 'a575f592',
+    'rsrc/js/core/DragAndDropFileUpload.js' => 'f61aa8ec',
     'rsrc/js/core/DraggableList.js' => '2cad29d1',
     'rsrc/js/core/FileUpload.js' => 'a4ae61bf',
     'rsrc/js/core/Hovercard.js' => '7e8468ae',
@@ -465,7 +465,7 @@
     'rsrc/js/core/behavior-file-tree.js' => '88236f00',
     'rsrc/js/core/behavior-form.js' => '5c54cbf3',
     'rsrc/js/core/behavior-gesture.js' => '3ab51e2c',
-    'rsrc/js/core/behavior-global-drag-and-drop.js' => '3672899b',
+    'rsrc/js/core/behavior-global-drag-and-drop.js' => '07f199d8',
     'rsrc/js/core/behavior-high-security-warning.js' => '8fc1c918',
     'rsrc/js/core/behavior-history-install.js' => '7ee2b591',
     'rsrc/js/core/behavior-hovercard.js' => 'f36e01af',
@@ -589,7 +589,7 @@
     'javelin-behavior-doorkeeper-tag' => 'e5822781',
     'javelin-behavior-error-log' => 'a5d7cf86',
     'javelin-behavior-fancy-datepicker' => 'a5573bcd',
-    'javelin-behavior-global-drag-and-drop' => '3672899b',
+    'javelin-behavior-global-drag-and-drop' => '07f199d8',
     'javelin-behavior-herald-rule-editor' => '7ebaeed3',
     'javelin-behavior-high-security-warning' => '8fc1c918',
     'javelin-behavior-history-install' => '7ee2b591',
@@ -715,7 +715,7 @@
     'phabricator-countdown-css' => '86b7b0a0',
     'phabricator-crumbs-view-css' => '7fbf25b8',
     'phabricator-dashboard-css' => 'a2bfdcbf',
-    'phabricator-drag-and-drop-file-upload' => 'a575f592',
+    'phabricator-drag-and-drop-file-upload' => 'f61aa8ec',
     'phabricator-draggable-list' => '2cad29d1',
     'phabricator-fatal-config-template-css' => '25d446d6',
     'phabricator-feed-css' => '4e544db4',
@@ -869,6 +869,13 @@
       'javelin-util',
       'phabricator-busy',
     ),
+    '07f199d8' => array(
+      'javelin-behavior',
+      'javelin-dom',
+      'javelin-uri',
+      'javelin-mask',
+      'phabricator-drag-and-drop-file-upload',
+    ),
     '09eee344' => array(
       'javelin-behavior',
       'javelin-stratcom',
@@ -1042,13 +1049,6 @@
       'javelin-behavior',
       'javelin-dom',
     ),
-    '3672899b' => array(
-      'javelin-behavior',
-      'javelin-dom',
-      'javelin-uri',
-      'javelin-mask',
-      'phabricator-drag-and-drop-file-upload',
-    ),
     '3915d490' => array(
       'javelin-install',
       'javelin-util',
@@ -1490,14 +1490,6 @@
       'javelin-stratcom',
       'javelin-vector',
     ),
-    'a575f592' => array(
-      'javelin-install',
-      'javelin-util',
-      'javelin-request',
-      'javelin-dom',
-      'javelin-uri',
-      'phabricator-file-upload',
-    ),
     'a5b67173' => array(
       'javelin-dom',
       'javelin-util',
@@ -1877,6 +1869,14 @@
       'multirow-row-manager',
       'javelin-json',
     ),
+    'f61aa8ec' => array(
+      'javelin-install',
+      'javelin-util',
+      'javelin-request',
+      'javelin-dom',
+      'javelin-uri',
+      'phabricator-file-upload',
+    ),
     'f6555212' => array(
       'javelin-install',
       'javelin-reactornode',
diff --git a/src/applications/files/controller/PhabricatorFileDropUploadController.php b/src/applications/files/controller/PhabricatorFileDropUploadController.php
--- a/src/applications/files/controller/PhabricatorFileDropUploadController.php
+++ b/src/applications/files/controller/PhabricatorFileDropUploadController.php
@@ -8,7 +8,7 @@
    */
   public function processRequest() {
     $request = $this->getRequest();
-    $user = $request->getUser();
+    $viewer = $request->getUser();
 
     // NOTE: Throws if valid CSRF token is not present in the request.
     $request->validateCSRF();
@@ -16,11 +16,21 @@
     $data = PhabricatorStartup::getRawInput();
     $name = $request->getStr('name');
 
+    // If there's no explicit view policy, make it very restrictive by default.
+    // This is the correct policy for files dropped onto objects during
+    // creation, comment and edit flows.
+
+    $view_policy = $request->getStr('viewPolicy');
+    if (!$view_policy) {
+      $view_policy = $viewer->getPHID();
+    }
+
     $file = PhabricatorFile::newFromXHRUpload(
       $data,
       array(
         'name' => $request->getStr('name'),
-        'authorPHID' => $user->getPHID(),
+        'authorPHID' => $viewer->getPHID(),
+        'viewPolicy' => $view_policy,
         'isExplicitUpload' => true,
       ));
 
diff --git a/src/applications/files/view/PhabricatorGlobalUploadTargetView.php b/src/applications/files/view/PhabricatorGlobalUploadTargetView.php
--- a/src/applications/files/view/PhabricatorGlobalUploadTargetView.php
+++ b/src/applications/files/view/PhabricatorGlobalUploadTargetView.php
@@ -28,6 +28,7 @@
       'instructions'  => $instructions_id,
       'uploadURI'     => '/file/dropupload/',
       'browseURI'     => '/file/query/authored/',
+      'viewPolicy'    => PhabricatorPolicies::getMostOpenPolicy(),
     ));
 
     return phutil_tag(
diff --git a/webroot/rsrc/js/core/DragAndDropFileUpload.js b/webroot/rsrc/js/core/DragAndDropFileUpload.js
--- a/webroot/rsrc/js/core/DragAndDropFileUpload.js
+++ b/webroot/rsrc/js/core/DragAndDropFileUpload.js
@@ -174,8 +174,13 @@
 
       var up_uri = JX.$U(this.getURI())
         .setQueryParam('name', file.getName())
-        .setQueryParam('__upload__', 1)
-        .toString();
+        .setQueryParam('__upload__', 1);
+
+      if (this.getViewPolicy()) {
+        up_uri.setQueryParam('viewPolicy', this.getViewPolicy());
+      }
+
+      up_uri = up_uri.toString();
 
       var onupload = JX.bind(this, function(r) {
         if (r.error) {
@@ -235,6 +240,7 @@
   },
   properties: {
     URI : null,
-    activatedClass : null
+    activatedClass : null,
+    viewPolicy : null
   }
 });
diff --git a/webroot/rsrc/js/core/behavior-global-drag-and-drop.js b/webroot/rsrc/js/core/behavior-global-drag-and-drop.js
--- a/webroot/rsrc/js/core/behavior-global-drag-and-drop.js
+++ b/webroot/rsrc/js/core/behavior-global-drag-and-drop.js
@@ -21,7 +21,8 @@
   }
 
   var drop = new JX.PhabricatorDragAndDropFileUpload(document.documentElement)
-    .setURI(config.uploadURI);
+    .setURI(config.uploadURI)
+    .setViewPolicy(config.viewPolicy);
 
   drop.listen('didBeginDrag', function() {
     JX.Mask.show();