diff --git a/.env.production.sample b/.env.production.sample
index 12ab2b6dcb..4afaf8d756 100644
--- a/.env.production.sample
+++ b/.env.production.sample
@@ -79,6 +79,9 @@ AWS_ACCESS_KEY_ID=
 AWS_SECRET_ACCESS_KEY=
 S3_ALIAS_HOST=files.example.com
 
+# Optional list of hosts that are allowed to serve media for your instance
+# EXTRA_MEDIA_HOSTS=https://data.example1.com,https://data.example2.com
+
 # IP and session retention
 # -----------------------
 # Make sure to modify the scheduling of ip_cleanup_scheduler in config/sidekiq.yml
diff --git a/app/lib/content_security_policy.rb b/app/lib/content_security_policy.rb
index c764d1856d..fc42e2d48b 100644
--- a/app/lib/content_security_policy.rb
+++ b/app/lib/content_security_policy.rb
@@ -10,7 +10,7 @@ class ContentSecurityPolicy
   end
 
   def media_hosts
-    [assets_host, cdn_host_value, paperclip_root_url].compact
+    [assets_host, cdn_host_value, paperclip_root_url].concat(extra_media_hosts).compact
   end
 
   def sso_host
@@ -31,6 +31,10 @@ class ContentSecurityPolicy
 
   private
 
+  def extra_media_hosts
+    ENV.fetch('EXTRA_MEDIA_HOSTS', '').split(/(?:\s*,\s*|\s+)/)
+  end
+
   def url_from_configured_asset_host
     Rails.configuration.action_controller.asset_host
   end