diff --git a/src/aphront/response/AphrontResponse.php b/src/aphront/response/AphrontResponse.php
--- a/src/aphront/response/AphrontResponse.php
+++ b/src/aphront/response/AphrontResponse.php
@@ -109,7 +109,14 @@
     if ($cdn) {
       $default = $this->newContentSecurityPolicySource($cdn);
     } else {
-      $default = "'self'";
+      // If an alternate file domain is not configured and the user is viewing
+      // a Phame blog on a custom domain or some other custom site, we'll still
+      // serve resources from the main site. Include the main site explicitly.
+
+      $base_uri = PhabricatorEnv::getURI('/');
+      $base_uri = $this->newContentSecurityPolicySource($base_uri);
+
+      $default = "'self' {$base_uri}";
     }
 
     $csp[] = "default-src {$default}";