Sitecore Client User Interface does not support Content Security Policy (CSP) headers out of the box due to the dependency on unsafe scripts (the EVAL function and inline Javascript). Customers can configure CSP headers on a Sitecore instance by themselves, but in such case, the CSP definition for Content Management (CM) instance should definitely allow unsafe-inline and unsafe-eval scripts for the mapped CM hostname(s).