CSP protect from XSS
Well if you are working on .Net the only option you have is to add custom response header in Web.config file and list all JS. But here is the catch if you working with third party analytics this become tricky. There is a constraint and challenge to do so. Per say, these analytics injects lot of js libraries at runtime. It can be facebook , google tag manager, live person, social media plugins or advert. This is where one needs to draw line and give business technical reason why this cannot be achieved. Next stuff is browser compatibility. Under the hood testing will become exhaustive and chances are these are prones to more defects that leads to unknowns while move to production. Next time you come across CSP , think twice do your thorough research before you commit something.