Hue may have allowed external domains such as doubleclick.net, .googletagmanager.com,
or *.google-analytics.com to run JavaScript scripts, for certain URLs in the Content
Security Policy (CSP) headers. This may lead to Common Weakness Enumeration (CWE-16). To
secure Hue from CWE-16 class of weaknesses, you can add the X-Content-Type-Options response
HTTP header and prevent attacks based on MIME-type confusions in Hue’s Advanced
Configuration Snippet using Cloudera Manager.
-
Log in to Cloudera Manager as an Administrator.
-
Go to and add the following lines in the Hue Service
Advanced Configuration Snippet (Safety Valve) for
hue_safety_valve.in field:
[desktop]
# X-Content-Type-Options: nosniff This is an HTTP response header
# feature that helps prevent attacks based on MIME-type confusion.
secure_content_security_policy="script-src 'self' 'unsafe-inline' 'unsafe-eval' *.googletagmanager.com *.doubleclick.net data:;img-src 'self' *.doubleclick.net http://*.tile.osm.org *.tile.osm.org *.gstatic.com data:;style-src 'self' 'unsafe-inline' fonts.googleapis.com;connect-src 'self' *.google-analytics.com;frame-src *;child-src 'self' data: *.vimeo.com;object-src 'none'"
-
Click Save Changes.
-
Restart the Hue service.