diff --git a/src/aphront/response/AphrontResponse.php b/src/aphront/response/AphrontResponse.php
--- a/src/aphront/response/AphrontResponse.php
+++ b/src/aphront/response/AphrontResponse.php
@@ -154,6 +154,9 @@
     // download URI instead of submitting a form to it.
     $csp[] = "form-action 'self'";
 
+    // Block use of "<base>" to change the origin of relative URIs on the page.
+    $csp[] = "base-uri 'none'";
+
     $csp = implode('; ', $csp);
 
     return $csp;