How accidentally not to block Google Analytics on your site

Content Security Policy (CSP) is a web standard providing protection from third-party assets such as cross-site scripting attacks (XSS) that may cause serious security concerns. CSP describes safe sources, establishes rules of use of built-in styles and scripts as well as
Google Analytics can use 2 - 4 features often restricted by Content Security Policy, so your task is to enable them.
The first thing you should do is configure the script-src directive to allow Google Analytics to run JavaScript.
Note: the https is optional, while the www is mandatory.
Note: This is an inline snippet, known as function(i,s,o,g,r,a,m), which is restricted by CSP.
Here are 3 ways you can run Google Analytics from less secure to more reliable:
Content Security Policy may restrict the ways Google Analytics sends data to servers for Post requests, Image requests and the browser “Beacon” feature.
Here is a simple policy enabling Google Analytics to function without the AdWords or Advertising features. It allows only what is strictly necessary and restricts other non-Google resources.
default-src 'self' https://www.google-analytics.com 'unsafe-inline'
This way you can move the Google Analytics code snippet to a separate file as this policy requires. It is hosted on the same domain as the main site.
script-src 'self' https://www.google-analytics.com;
connect-src https://www.google-analytics.com www.google-analytics.com https://stats.g.doubleclick.net
Content Security Policy may also restrict some assets loaded on your page by Google Tag Manager.
Tag Manager is a script-injection framework that dynamically loads JavaScript sections onto your page, so you can’t restrict it from executing inline snippets as it works with Google Analytics. To make Tag Manager function, you should:
If you need to load some third-party tracking pixels, you should work out how to allow the appropriate script or image sources.
Trial and error is the most efficient method here: