Unable to download file from Mock (Pholio) because of CSP policy


  • Bug reports MUST include reproduction instructions which allow someone who does not have access to your environment to reproduce the issue you’re encountering.
  • Bug reports MUST be against a recent version of Phabricator, and include version information. You can find version information in “Config > Version Information” in the web UI, or arc version from the CLI.

Based on what can I see Pholio’s download button uses form to start file downloading which causes CSP violation.

Reproduction Instructions

  1. Create a Mock in Pholio with any file which browser is unable to display inline, like PSD or any other. The only meaning condition here it must be in the mock itself (not in comment or description), and it must not be possible for browser to display the file inline.
  2. Open the mock just created and try to download the file with the button contains down arrow at the right bottom corner of file preview.

Expected result: browser begins file downloading
Actual result: nothing happens, browser JS console displays error because it does not appear in the form-action directive of the Content Security Policy..

Phabricator/Arcanist Version: deployed from git: 5e06d924f8eba5df354c690ceb693e454e965d16
Output from Config > Version Information or arc version: arcanist versions displayed is unknown. It was deployed from git: 68dba1a2c6d9fe1de7b9d4c944336458d0f016b3