diff --git a/src/aphront/sink/AphrontHTTPSink.php b/src/aphront/sink/AphrontHTTPSink.php
--- a/src/aphront/sink/AphrontHTTPSink.php
+++ b/src/aphront/sink/AphrontHTTPSink.php
@@ -111,6 +111,17 @@
     // HTTP headers.
     $data = $response->getContentIterator();
 
+    // This isn't an exceptionally clean separation of concerns, but we need
+    // to add CSP headers for all response types (including both web pages
+    // and dialogs) and can't determine the correct CSP until after we render
+    // the page (because page elements like Recaptcha may add CSP rules).
+    $static = CelerityAPI::getStaticResourceResponse();
+    foreach ($static->getContentSecurityPolicyURIMap() as $kind => $uris) {
+      foreach ($uris as $uri) {
+        $response->addContentSecurityPolicyURI($kind, $uri);
+      }
+    }
+
     $all_headers = array_merge(
       $response->getHeaders(),
       $response->getCacheHeaders());
diff --git a/src/view/page/PhabricatorStandardPageView.php b/src/view/page/PhabricatorStandardPageView.php
--- a/src/view/page/PhabricatorStandardPageView.php
+++ b/src/view/page/PhabricatorStandardPageView.php
@@ -892,13 +892,6 @@
       $response = id(new AphrontWebpageResponse())
         ->setContent($content)
         ->setFrameable($this->getFrameable());
-
-      $static = CelerityAPI::getStaticResourceResponse();
-      foreach ($static->getContentSecurityPolicyURIMap() as $kind => $uris) {
-        foreach ($uris as $uri) {
-          $response->addContentSecurityPolicyURI($kind, $uri);
-        }
-      }
     }
 
     return $response;