Complementation: I found a way to configure the apache csp headers for netdata. Please add the configuration snippet to your documentation:
Header always set Content-Security-Policy "default-src 'unsafe-inline' http://localhost:19999 https: 'self' 'unsafe-eval'; script-src 'unsafe-inline' https: 'self' 'unsafe-eval'; style-src https: 'self' 'unsafe-inline'" Thanks Katharina