fix(security): restrictive production CSP

Adjust our Content Security Policy on production so that it is more
restrictive than when we run in development mode. Changes include:

 - Do not allow loading content/scripts/fonts from localhost
 - Do not allow running code that contains `eval` statements

webpack.config.renderer.prod.js

@@ -157,15 +157,26 @@ export default merge.smart(baseConfig, {
       'object-src': "'none'",
       'connect-src': [
         "'self'",
-        'http://localhost:*',
-        'ws://localhost:*',
         'https://api.coinmarketcap.com',
         'https://zap.jackmallers.com',
         'https://testnet-api.smartbit.com.au'
       ],
-      'script-src': ["'self'", 'http://localhost:*', "'unsafe-eval'"],
-      'font-src': ["'self'", 'data:', 'http://localhost:*', 'https://fonts.googleapis.com', 'https://s3.amazonaws.com', 'https://fonts.gstatic.com'],
-      'style-src': ["'self'", 'blob:', 'https://fonts.googleapis.com', 'https://s3.amazonaws.com', 'https://fonts.gstatic.com', "'unsafe-inline'"]
+      'script-src': ["'self'"],
+      'font-src': [
+        "'self'",
+        'data:',
+        'https://fonts.googleapis.com',
+        'https://s3.amazonaws.com',
+        'https://fonts.gstatic.com'
+      ],
+      'style-src': [
+        "'self'",
+        'blob:',
+        'https://fonts.googleapis.com',
+        'https://s3.amazonaws.com',
+        'https://fonts.gstatic.com',
+        "'unsafe-inline'"
+      ]
     })
   ]
 })