fix: use SetEnv CSP_PROJECT_DOMAINS instead of overriding CSP header (#815)

Follow Apache Infra standard CSP handling per https://infra.apache.org/tools/csp.html
The Content-Security-Policy header must not be overridden directly.
Instead, use SetEnv CSP_PROJECT_DOMAINS to add project-specific domains
to the default Apache CSP base policy.

Co-authored-by: Zhang Juntao <zhangjuntao@apache.org>

Author: Senrian

.htaccess

@@ -1,5 +1,4 @@
 ErrorDocument 404 /404.html
 
-<IfModule mod_headers.c>
-    Header set Content-Security-Policy "frame-src 'self' https://www.google.com https://app.netlify.com"
-</IfModule>
+# CSP permissions for apache.skywalking.apache.org - Adding third party services Google, Netlify. Approved per https://infra.apache.org/tools/csp.html
+SetEnv CSP_PROJECT_DOMAINS "https://www.google.com https://app.netlify.com"