diff --git a/lib/file_helper.rb b/lib/file_helper.rb
index 9798a322982..fedfcc67ed9 100644
--- a/lib/file_helper.rb
+++ b/lib/file_helper.rb
@@ -11,13 +11,14 @@ class FileHelper
     url = "https:" + url if url.start_with?("//")
     raise Discourse::InvalidParameters.new(:url) unless url =~ /^https?:\/\//
 
-    # uri = FinalDestination.new(url).resolve
-    uri = URI.parse(url)
+    uri = FinalDestination.new(url, max_redirects: follow_redirect ? 5 : 1).resolve
+    return unless uri.present?
+
     extension = File.extname(uri.path)
     tmp = Tempfile.new([tmp_file_name, extension])
 
     File.open(tmp.path, "wb") do |f|
-      downloaded = uri.open("rb", read_timeout: read_timeout, redirect: follow_redirect, allow_redirections: :all)
+      downloaded = uri.open("rb", read_timeout: read_timeout)
       while f.size <= max_file_size && data = downloaded.read(512.kilobytes)
         f.write(data)
       end
diff --git a/lib/final_destination.rb b/lib/final_destination.rb
index c3fa9be503c..529c906dcb0 100644
--- a/lib/final_destination.rb
+++ b/lib/final_destination.rb
@@ -77,6 +77,15 @@ class FinalDestination
   end
 
   def is_dest_valid?
+
+    # CDNs are always allowed
+    return true if SiteSetting.s3_cdn_url.present? &&
+      @uri.hostname == URI(SiteSetting.s3_cdn_url).hostname
+
+    global_cdn = GlobalSetting.try(:cdn_url)
+    return true if global_cdn.present? &&
+      @uri.hostname == URI(global_cdn).hostname
+
     return false unless @uri && @uri.host
 
     address_s = @opts[:lookup_ip].call(@uri.hostname)
diff --git a/spec/components/final_destination_spec.rb b/spec/components/final_destination_spec.rb
index 87e29a0e8a7..29ff9bd3bfc 100644
--- a/spec/components/final_destination_spec.rb
+++ b/spec/components/final_destination_spec.rb
@@ -57,7 +57,6 @@ describe FinalDestination do
         expect(final.redirected?).to eq(false)
         expect(final.status).to eq(:resolved)
       end
-
     end
 
     context "underscores in URLs" do