I have a simple localhost website to test out Google Analytics, but every time I go to the site and look at the log, I see the JavaScript code is being blocked by CSP.
Here's the script:
<script type="text/javascript">
(function (i, s, o, g, r, a, m) {
i['GoogleAnalyticsObject'] = r; i[r] = i[r] || function () {
(i[r].q = i[r].q || []).push(arguments)
}, i[r].l = 1 * new Date(); a = s.createElement(o),
m = s.getElementsByTagName(o)[0]; a.async = 1; a.src = g; m.parentNode.insertBefore(a, m)
})(window, document, 'script', 'https://www.google-analytics.com/analytics.js', 'ga');
ga('create', 'UA-12345678-1', 'auto', { 'siteSpeedSampleRate': 100 });
ga('send', 'pageview');
ga('create', 'UA-87654321-1', 'auto', 'clientTracker', { 'siteSpeedSampleRate': 100 });
ga('clientTracker.send', 'pageview');
</script>
And here's the CSP content:
<httpProtocol>
<customHeaders>
<add name="Content-Security-Policy" value="default-src 'self'; script-src 'self' https://www.google-analytics.com https://ssl.google-analytics.com; style-src 'self' 'unsafe-inline'; img-src 'self' http://www.google-analytics.com https://ssl.google-analytics.com; object-src 'none'; media-src 'none'; frame-src 'none' "/>
</customHeaders>
</httpProtocol>
Finally here's the screen shot of the errors:
note: I did come across with a few posts (here and here), while I found some similarities in them, I don't find the solution worked for me (or maybe I did something wrong, if so, please point out).