TeamCity On-Premises 2023.05 Help

Content Security Policy in TeamCity

TeamCity implements additional HTTP security with the Content-Security-Policy (CSP) header.

The header prohibits TeamCity pages from downloading external resources, with some whitelisted exceptions. Downloading from non-whitelisted resources will be blocked.

In some setups, you may need to allow downloading external resources. For example, when using analytics tools or when integrating TeamCity with external services via a plugin.

As a plugin developer, you can provide CSP directives via the ContentSecurityPolicyConfig OpenAPI interface.

Changing CSP Header Value

As a server administrator, you can change the CSP header value via the internal properties.

  • For TeamCity administration pages:

    teamcity.web.header.Content-Security-Policy.adminUI.protectedValue=<value>
  • For other TeamCity pages:

    teamcity.web.header.Content-Security-Policy.protectedValue=<value>

In the value, you only need to provide the custom part of the CSP header. If you provide the full value, only its custom parts will be applied.

Adding Google Analytics via internal properties

To allow Google Analytics you must change the values of the following directives in the CSP header:

  • connect-src to allow loading Google Analytics URLs:

    connect-src 'self' ws: wss: https://www.google-analytics.com www.google-analytics.com https://stats.g.doubleclick.net
  • img-src to allow loading images:

    img-src 'self' data: https://www.google-analytics.com www.google-analytics.com https://stats.g.doubleclick.net;
  • script-src to allow loading JavaScript:

    script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.google-analytics.com

The internal properties must be set as follows:

# For TeamCity administration pages: teamcity.web.header.Content-Security-Policy.adminUI.protectedValue=frame-ancestors 'self'; default-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.google-analytics.com; img-src 'self' data: https://www.google-analytics.com www.google-analytics.com https://stats.g.doubleclick.net; connect-src 'self' ws: wss: https://www.google-analytics.com www.google-analytics.com https://stats.g.doubleclick.net # For other pages: teamcity.web.header.Content-Security-Policy.protectedValue=frame-ancestors 'self'; default-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.google-analytics.com; img-src 'self' data: https://www.google-analytics.com www.google-analytics.com https://stats.g.doubleclick.net; connect-src 'self' ws: wss: https://www.google-analytics.com www.google-analytics.com https://stats.g.doubleclick.net
Last modified: 22 August 2023