Content Security Policy in TeamCity
TeamCity implements additional HTTP security with the Content-Security-Policy (CSP) header.
The header prohibits TeamCity pages from downloading external resources, with some whitelisted exceptions. Downloading from non-whitelisted resources will be blocked.
In some setups, you may need to allow downloading external resources. For example, when using analytics tools or when integrating TeamCity with external services via a plugin.
As a plugin developer, you can provide CSP directives via the ContentSecurityPolicyConfig OpenAPI interface.
As a server administrator, you can change the CSP header value via the internal properties:
for TeamCity administration pages:
teamcity.web.header.Content-Security-Policy.adminUI.protectedValue=<full_header_value>for other TeamCity pages:
teamcity.web.header.Content-Security-Policy.protectedValue=<full_header_value>
Adding Google Analytics via internal properties
For example, to allow Google Analytics you must change the values of the following directives in the CSP header:
connect-srcto allow loading Google Analytics URLs:connect-src 'self' ws: wss: https://www.google-analytics.com www.google-analytics.com https://stats.g.doubleclick.netimg-srcto allow loading images:img-src 'self' data: https://www.google-analytics.com www.google-analytics.com https://stats.g.doubleclick.net;script-srcto allow loading JavaScript:script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.google-analytics.com
The internal properties must be set as follows: