Include default content security policy or guidance?

I have just gotten the boilerplate up and running. Not surprisingly, I ran into two security warnings:

Surprisingly, I haven’t bumped into any detailed articles (outside of the docs) that discuss best practices for dealing with these security issues.

I also find the electron doc’s recommendations to be a bit vague when it comes to understanding what should be placed where: Both the meta tag and the http header? Is 'default-src \'none\'' fine for apps that don’t need to access websites? (Perhaps that is an issue to take up there?)

Prerequisites

• Using yarn
• Using an up-to-date master branch
• Using latest version of devtools. See wiki for howto update
• Link to stacktrace in a Gist (for bugs)
• For issue in production release, devtools output of DEBUG_PROD=true yarn build && yarn start
• Tried solutions mentioned in #400

Expected Behavior

The app starts running in dev mode and you are off to the races with no warnings, etc.

Current Behavior

Two warnings flash up right away about security.

Possible Solution

1. Add default behavior for dealing with the content security policy. For example, based on what comes up in the electron docs, it might be sufficient to add this snippet to main?
2. Clarify whether the insecure resources warning is anything to be concerned about in the docs.

Steps to Reproduce (for bugs)

1. Clone the repo.
2. Run yarn run dev
3. Open devtools to see the warnings.

Context

This just creates a little wormhole that I need to travel down every time I start a new electron app (using the boilerplate or otherwise).

The only change I made to the boilerplate was the addition of scss.

Your Environment

• Node version : 10.13.0
• Version or Branch used : Master (as of 10/19/18)
• Operating System and version : Windows 10
• Link to your project : NA