TeamCity 2019.1 Help

Content Security Policy in TeamCity

Since version 2019.1, TeamCity implements additional HTTP security with the Content-Security-Policy (CSP) header.

The header prohibits TeamCity pages from downloading external resources, with some whitelisted exceptions. Downloading from non-whitelisted resources will be blocked.

In some setups, you may need to allow downloading external resources. For example, when using analytics tools or when integrating TeamCity with external services via a plugin.

As a plugin developer, you can provide CSP directives via the ContentSecurityPolicyConfig OpenAPI interface.

As a server administrator, you can change the CSP header value via the internal properties:

  • for TeamCity administration pages:

    teamcity.web.header.Content-Security-Policy.adminUI.protectedValue=<full_header_value>

  • for other TeamCity pages:

    teamcity.web.header.Content-Security-Policy.protectedValue=<full_header_value>

Adding Google Analytics via internal properties

For example, to allow Google Analytics in a project you must change the values of the following directives in the CSP header:

  • connect-src to allow loading Google Analytics URLs:

    connect-src 'self' ws: wss: https://www.google-analytics.com www.google-analytics.com https://stats.g.doubleclick.net
  • img-src to allow loading images:

    img-src 'self' data: https://www.google-analytics.com www.google-analytics.com https://stats.g.doubleclick.net;
  • script-src to allow loading JavaScript:

    script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.google-analytics.com

The internal properties must be set as follows:

# For TeamCity administration pages: teamcity.web.header.Content-Security-Policy.adminUI.protectedValue=frame-ancestors 'self'; default-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.google-analytics.com; img-src 'self' data: https://www.google-analytics.com www.google-analytics.com https://stats.g.doubleclick.net; connect-src 'self' ws: wss: https://www.google-analytics.com www.google-analytics.com https://stats.g.doubleclick.net # For other pages: teamcity.web.header.Content-Security-Policy.protectedValue=frame-ancestors 'self'; default-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.google-analytics.com; img-src 'self' data: https://www.google-analytics.com www.google-analytics.com https://stats.g.doubleclick.net; connect-src 'self' ws: wss: https://www.google-analytics.com www.google-analytics.com https://stats.g.doubleclick.net
Last modified: 11 June 2019