diff --git a/app/views/layouts/application.html.erb b/app/views/layouts/application.html.erb
index 37a366663..c0fe14436 100644
--- a/app/views/layouts/application.html.erb
+++ b/app/views/layouts/application.html.erb
@@ -14,7 +14,7 @@
     <%= stylesheet_link_tag 'application', media: 'all' %>
 
     <% if ::NewRelic::Agent.instance.started? %>
-      <%= ::NewRelic::Agent.browser_timing_header("nonce") %>
+      <%= ::NewRelic::Agent.browser_timing_header(controller.request.content_security_policy_nonce) %>
     <% end %>
     <%= javascript_include_tag 'jquery_bundle' %>
     <%= javascript_include_tag 'application' %>
diff --git a/config/initializers/active_storage.rb b/config/initializers/active_storage.rb
index 7093b402e..c43b698e4 100644
--- a/config/initializers/active_storage.rb
+++ b/config/initializers/active_storage.rb
@@ -16,11 +16,6 @@ Rails.application.config.active_storage.variable_content_types << 'image/svg+xml
 
 Rails.application.config.active_storage.variant_processor = :vips if ENV['ACTIVESTORAGE_ENABLE_VIPS'] == 'true'
 
-if Rails.application.config.active_storage.service == :amazon
-  Rails.application.config.active_storage.bucket_url =
-    "https://#{ENV.fetch('S3_BUCKET', nil)}.s3.#{ENV('S3_REGION', nil) || ENV.fetch('AWS_REGION', nil)}.amazonaws.com/"
-end
-
 ActiveStorage::Downloader.class_eval do
   def open(key, checksum:, name: 'ActiveStorage-', tmpdir: nil)
     open_tempfile(name, tmpdir) do |file|
diff --git a/config/initializers/extends.rb b/config/initializers/extends.rb
index 19cc3057a..a2fac7e43 100644
--- a/config/initializers/extends.rb
+++ b/config/initializers/extends.rb
@@ -554,6 +554,7 @@ class Extends
   EXTERNAL_SERVICES = %w(
     https://www.protocols.io/
     http://127.0.0.1:9100/available
+    https://marvinjs.chemicalize.com/
   )
   EXTERNAL_SERVICES += [s3] if s3
 end
diff --git a/config/initializers/security_policy.rb b/config/initializers/security_policy.rb
index 47d6b1432..dedcd4732 100644
--- a/config/initializers/security_policy.rb
+++ b/config/initializers/security_policy.rb
@@ -28,3 +28,13 @@ Rails.application.config.content_security_policy_nonce_directives = %w(script-sr
 # For further information see the following documentation:
 # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only
 # Rails.application.config.content_security_policy_report_only = true
+
+# Whitelist AWS buckets
+Rails.application.configure do
+  config.after_initialize do
+    return unless ActiveStorage::Blob.service.name == :amazon
+
+    Extends::EXTERNAL_SERVICES += [ActiveStorage::Blob.service.bucket.url]
+    Rails.application.config.content_security_policy.connect_src :self, :data, *Extends::EXTERNAL_SERVICES
+  end
+end