diff --git a/app/controllers/registrations_controller.rb b/app/controllers/registrations_controller.rb
index fe800de5dd8b84e237899c93eee28f93dd82dad1..748d1b26e5c119b5b7eafd658ba0cde569530d4c 100644
--- a/app/controllers/registrations_controller.rb
+++ b/app/controllers/registrations_controller.rb
@@ -15,6 +15,16 @@ class RegistrationsController < Devise::RegistrationsController
 
   feature_category :authentication_and_authorization
 
+  content_security_policy do |policy|
+    next if policy.directives.blank?
+
+    script_src_values = Array.wrap(policy.directives['script-src']) | ['https://cdn.cookielaw.org https://*.onetrust.com']
+    policy.script_src(*script_src_values)
+
+    connect_src_values = Array.wrap(policy.directives['connect-src']) | ['https://cdn.cookielaw.org']
+    policy.connect_src(*connect_src_values)
+  end
+
   def new
     @resource = build_resource
   end
diff --git a/app/controllers/sessions_controller.rb b/app/controllers/sessions_controller.rb
index 4fcf82c605b3177e1bd910cb3171f420fa5c527c..92014c11e3308d1493f6895d908b8235b6937c87 100644
--- a/app/controllers/sessions_controller.rb
+++ b/app/controllers/sessions_controller.rb
@@ -55,6 +55,16 @@ class SessionsController < Devise::SessionsController
   CAPTCHA_HEADER = 'X-GitLab-Show-Login-Captcha'
   MAX_FAILED_LOGIN_ATTEMPTS = 5
 
+  content_security_policy do |policy|
+    next if policy.directives.blank?
+
+    script_src_values = Array.wrap(policy.directives['script-src']) | ['https://cdn.cookielaw.org https://*.onetrust.com']
+    policy.script_src(*script_src_values)
+
+    connect_src_values = Array.wrap(policy.directives['connect-src']) | ['https://cdn.cookielaw.org']
+    policy.connect_src(*connect_src_values)
+  end
+
   def new
     set_minimum_password_length
 
diff --git a/app/views/layouts/_one_trust.html.haml b/app/views/layouts/_one_trust.html.haml
index 8460d071a88637e8a94631f9775eba10971dbfc4..28d57e60ddc30be36fedbabba7b102c400245b92 100644
--- a/app/views/layouts/_one_trust.html.haml
+++ b/app/views/layouts/_one_trust.html.haml
@@ -1,7 +1,7 @@
 - if one_trust_enabled?
   <!-- OneTrust -->
   = javascript_include_tag "https://cdn.cookielaw.org/consent/#{extra_config.one_trust_id}/OtAutoBlock.js"
-  %script{ :src => "https://cdn.cookielaw.org/scripttemplates/otSDKStub.js", :charset => "UTF-8", :"data-domain-script" => extra_config.one_trust_id, :defer => true, :nonce => true }
-  = javascript_tag nonce: true do
+  %script{ :src => "https://cdn.cookielaw.org/scripttemplates/otSDKStub.js", :charset => "UTF-8", :"data-domain-script" => extra_config.one_trust_id, :defer => true, :nonce => content_security_policy_nonce }
+  = javascript_tag nonce: content_security_policy_nonce do
     :plain
       function OptanonWrapper() { }
diff --git a/ee/app/controllers/trial_registrations_controller.rb b/ee/app/controllers/trial_registrations_controller.rb
index 9da8a7f0402545e4d02d99d20727b104ec134746..a43ab34f2a546b1c45c8959e3535cfdf29d752f4 100644
--- a/ee/app/controllers/trial_registrations_controller.rb
+++ b/ee/app/controllers/trial_registrations_controller.rb
@@ -12,6 +12,16 @@ class TrialRegistrationsController < RegistrationsController
   before_action :check_if_gl_com_or_dev
   before_action :set_redirect_url, only: [:new]
 
+  content_security_policy do |policy|
+    next if policy.directives.blank?
+
+    script_src_values = Array.wrap(policy.directives['script-src']) | ['https://cdn.cookielaw.org https://*.onetrust.com']
+    policy.script_src(*script_src_values)
+
+    connect_src_values = Array.wrap(policy.directives['connect-src']) | ['https://cdn.cookielaw.org']
+    policy.connect_src(*connect_src_values)
+  end
+
   def new
   end
 
diff --git a/lib/gitlab/content_security_policy/config_loader.rb b/lib/gitlab/content_security_policy/config_loader.rb
index ed4f42c92e5f9660f863d4f2046ad80a84b7dc86..0e3fa8b8d8700e9bb4c116cfe08c0d572cbfdddc 100644
--- a/lib/gitlab/content_security_policy/config_loader.rb
+++ b/lib/gitlab/content_security_policy/config_loader.rb
@@ -15,7 +15,7 @@ module Gitlab
         directives = {
           'default_src' => "'self'",
           'base_uri' => "'self'",
-          'connect_src' => "'self' https://cdn.cookielaw.org",
+          'connect_src' => "'self'",
           'font_src' => "'self'",
           'form_action' => "'self' https: http:",
           'frame_ancestors' => "'self'",
@@ -23,7 +23,7 @@ module Gitlab
           'img_src' => "'self' data: blob: http: https:",
           'manifest_src' => "'self'",
           'media_src' => "'self'",
-          'script_src' => "'strict-dynamic' 'self' 'unsafe-inline' 'unsafe-eval' https://www.google.com/recaptcha/ https://www.recaptcha.net https://apis.google.com https://cdn.cookielaw.org",
+          'script_src' => "'strict-dynamic' 'self' 'unsafe-inline' 'unsafe-eval' https://www.google.com/recaptcha/ https://www.recaptcha.net https://apis.google.com",
           'style_src' => "'self' 'unsafe-inline'",
           'worker_src' => "'self' blob: data:",
           'object_src' => "'none'",
diff --git a/spec/lib/gitlab/content_security_policy/config_loader_spec.rb b/spec/lib/gitlab/content_security_policy/config_loader_spec.rb
index d0afd502050b87aae49ca2ad492020c2955108ed..3ec332dace594b2f9a1d35ad9aa0551c4b5f7ae0 100644
--- a/spec/lib/gitlab/content_security_policy/config_loader_spec.rb
+++ b/spec/lib/gitlab/content_security_policy/config_loader_spec.rb
@@ -56,22 +56,22 @@ RSpec.describe Gitlab::ContentSecurityPolicy::ConfigLoader do
     context 'adds all websocket origins to support Safari' do
       it 'with insecure domain' do
         stub_config_setting(host: 'example.com', https: false)
-        expect(directives['connect_src']).to eq("'self' https://cdn.cookielaw.org ws://example.com")
+        expect(directives['connect_src']).to eq("'self' ws://example.com")
       end
 
       it 'with secure domain' do
         stub_config_setting(host: 'example.com', https: true)
-        expect(directives['connect_src']).to eq("'self' https://cdn.cookielaw.org wss://example.com")
+        expect(directives['connect_src']).to eq("'self' wss://example.com")
       end
 
       it 'with custom port' do
         stub_config_setting(host: 'example.com', port: '1234')
-        expect(directives['connect_src']).to eq("'self' https://cdn.cookielaw.org ws://example.com:1234")
+        expect(directives['connect_src']).to eq("'self' ws://example.com:1234")
       end
 
       it 'with custom port and secure domain' do
         stub_config_setting(host: 'example.com', https: true, port: '1234')
-        expect(directives['connect_src']).to eq("'self' https://cdn.cookielaw.org wss://example.com:1234")
+        expect(directives['connect_src']).to eq("'self' wss://example.com:1234")
       end
     end
 
@@ -81,7 +81,7 @@ RSpec.describe Gitlab::ContentSecurityPolicy::ConfigLoader do
       end
 
       it 'adds CDN host to CSP' do
-        expect(directives['script_src']).to eq("'strict-dynamic' 'self' 'unsafe-inline' 'unsafe-eval' https://www.google.com/recaptcha/ https://www.recaptcha.net https://apis.google.com https://cdn.cookielaw.org https://example.com")
+        expect(directives['script_src']).to eq("'strict-dynamic' 'self' 'unsafe-inline' 'unsafe-eval' https://www.google.com/recaptcha/ https://www.recaptcha.net https://apis.google.com https://example.com")
         expect(directives['style_src']).to eq("'self' 'unsafe-inline' https://example.com")
         expect(directives['font_src']).to eq("'self' https://example.com")
       end
@@ -94,7 +94,7 @@ RSpec.describe Gitlab::ContentSecurityPolicy::ConfigLoader do
       end
 
       it 'adds sentry path to CSP without user' do
-        expect(directives['connect_src']).to eq("'self' https://cdn.cookielaw.org ws://example.com dummy://example.com/43")
+        expect(directives['connect_src']).to eq("'self' ws://example.com dummy://example.com/43")
       end
     end