Content Security Policy in TeamCity
TeamCity implements additional HTTP security with the Content-Security-Policy (CSP) header.
The header prohibits TeamCity pages from downloading external resources, with some whitelisted exceptions. Downloading from non-whitelisted resources will be blocked.
In some setups, you may need to allow downloading external resources. For example, when using analytics tools or when integrating TeamCity with external services via a plugin.
As a plugin developer, you can provide CSP directives via the ContentSecurityPolicyConfig
OpenAPI interface.
Changing CSP Header Value
As a server administrator, you can change the CSP header value via the internal properties.
For TeamCity administration pages:
teamcity.web.header.Content-Security-Policy.adminUI.protectedValue=<value>For other TeamCity pages:
teamcity.web.header.Content-Security-Policy.protectedValue=<value>
In the value, you only need to provide the custom part of the CSP header. If you provide the full value, only its custom parts will be applied.
Adding Google Analytics via internal properties
To allow Google Analytics you must change the values of the following directives in the CSP header:
connect-src
to allow loading Google Analytics URLs:connect-src 'self' ws: wss: https://www.google-analytics.com www.google-analytics.com https://stats.g.doubleclick.netimg-src
to allow loading images:img-src 'self' data: https://www.google-analytics.com www.google-analytics.com https://stats.g.doubleclick.net;script-src
to allow loading JavaScript:script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.google-analytics.com
The internal properties must be set as follows: