To add CSP to root if sort of funny. The following will NOT work for most cases !!
<LocationMatch "^/$">
Header set Content-Security-Policy "unsafe-inline"
</LocationMatch>
Case 1: The root (/) is associated with DocumentRoot
In this case, because you used the DocumentRoot, the 'Header set' behavior is not applied. You need to match the final resulting document, e.g.
<LocationMatch "^/index.html$">
Header set Content-Security-Policy "unsafe-inline"
</LocationMatch>
Case 2: The root (/) is redirected via Rewrite rule
In this case, because it is a HTTP 301 response, the 'Header set' behavior is not applied (It only applies to HTTP 200 response by default). You need to use 'Header always set':
<LocationMatch "^/$">
Header always set Content-Security-Policy "unsafe-inline"
</LocationMatch>