So the error happens in
/var/www/html/admin/scripts/pi-hole/php/auth.php
in
function check_cors()
this function compares a variable $server_origin with a list of allowed hostnames, e.g. "pi.hole", the ip address etc.
The allowed hostnames are fine in my case, BUT the variable $server_origin has "NULL" as value, which is obviously not the same as a valid hostname.
this triggers the line
log_and_die("Failed CORS: " . $server_origin .' vs '. join(', ', $AUTHORIZED_HOSTNAMES));
which kills the beautiful web interface and shows the ugly white page with the error.
Workaround:
comment the line out, then it works:
// log_and_die("Failed CORS: " . $server_origin .' vs '. join(', ', $AUTHORIZED_HOSTNAMES));
Real solution (developer needed):
Find out why $server_origin gives "NULL" in my system (Ubuntu 18.04, Apache 2) and solve it. Or just remove the CORS check...