Content Security Policy in TeamCity
TeamCity implements additional HTTP security with the Content-Security-Policy (CSP) header.
The header prohibits TeamCity pages from downloading external resources, with some whitelisted exceptions. Downloading from non-whitelisted resources will be blocked.
In some setups, you may need to allow downloading external resources. For example, when using analytics tools or when integrating TeamCity with external services via a plugin.
As a plugin developer, you can provide CSP directives via the ContentSecurityPolicyConfig
OpenAPI interface.
Changing CSP Header Value
As a server administrator, you can change the CSP header value via the internal properties.
For TeamCity administration pages:
teamcity.web.header.Content-Security-Policy.adminUI.protectedValue=<full_header_value>
For other TeamCity pages:
teamcity.web.header.Content-Security-Policy.protectedValue=<full_header_value>
note
The property must contain the full value of the CSP header, so change it with extra caution.
Adding Google Analytics via internal properties
To allow Google Analytics you must change the values of the following directives in the CSP header:
connect-src
to allow loading Google Analytics URLs:connect-src 'self' ws: wss: https://www.google-analytics.com www.google-analytics.com https://stats.g.doubleclick.net
img-src
to allow loading images:img-src 'self' data: https://www.google-analytics.com www.google-analytics.com https://stats.g.doubleclick.net;
script-src
to allow loading JavaScript:script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.google-analytics.com
The internal properties must be set as follows:
# For TeamCity administration pages:
teamcity.web.header.Content-Security-Policy.adminUI.protectedValue=frame-ancestors 'self'; default-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.google-analytics.com; img-src 'self' data: https://www.google-analytics.com www.google-analytics.com https://stats.g.doubleclick.net; connect-src 'self' ws: wss: https://www.google-analytics.com www.google-analytics.com https://stats.g.doubleclick.net
# For other pages:
teamcity.web.header.Content-Security-Policy.protectedValue=frame-ancestors 'self'; default-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.google-analytics.com; img-src 'self' data: https://www.google-analytics.com www.google-analytics.com https://stats.g.doubleclick.net; connect-src 'self' ws: wss: https://www.google-analytics.com www.google-analytics.com https://stats.g.doubleclick.net