docs: security.md, session.md - added clarification on defaultSession, added csp example

docs/api/session.md

@@ -66,7 +66,7 @@ The `session` module has the following properties:
 
 ### `session.defaultSession`
 
-A `Session` object, the default session object of the app.
+A `Session` object, the default session object of the app, available once app is ready.
 
 ## Class: Session
 

docs/tutorial/security.md

@@ -280,35 +280,29 @@ security-conscious developers might want to assume the very opposite.
 #### How?
 
 ```js title='main.js (Main Process)'
-const { app, session } = require('electron')
+const { session } = require('electron')
 const { URL } = require('url')
 
-app.whenReady().then(() => { 
-  // Your function responsible for creating the BrowserWindow and loading your web application
-  createWindow()
-}).then(() => {
-  session.defaultSession.webRequest
-    .setPermissionRequestHandler((webContents, permission, callback) => {
-      const parsedUrl = new URL(webContents.getURL())
+session
+  .defaultSession
+  .setPermissionRequestHandler((webContents, permission, callback) => {
+    const parsedUrl = new URL(webContents.getURL())
 
-      if (permission === 'notifications') {
-        // Approves the permissions request
-        callback(true)
-        return
-      }
+    if (permission === 'notifications') {
+      // Approves the permissions request
+      callback(true)
+    }
 
-      // Verify URL
-      if (parsedUrl.protocol !== 'https:' || parsedUrl.host !== 'example.com') {
-        // Denies the permissions request
-        callback(false)
-        return
-      }
-
-      // Default is deny
-    })
-})
+    // Verify URL
+    if (parsedUrl.protocol !== 'https:' || parsedUrl.host !== 'example.com') {
+      // Denies the permissions request
+      return callback(false)
+    }
+  })
 ```
 
+Note: `session.defaultSession` is only available when app is ready.
+
 ### 6. Do not disable `webSecurity`
 
 :::info
@@ -387,25 +381,22 @@ which can be set using Electron's
 handler:
 
 ```js title='main.js (Main Process)'
-const { app, session } = require('electron')
+const { session } = require('electron')
 
-app.whenReady().then(() => {
-  // Your function responsible for creating the BrowserWindow and loading your web application
-  createWindow()
-}).then(() => {
-  session.defaultSession.webRequest.onHeadersReceived((details, callback) => {
-    callback({
-      responseHeaders: {
-        ...details.responseHeaders,
-        'Content-Security-Policy': ["default-src 'none'"]
-        // Multiple policies are provided like this, going from specific to general
-        // 'Content-Security-Policy': ["img-src 'self'; script-src 'self' https://apis.example.com; default-src 'none'"]
-      }
-    })
+session.defaultSession.webRequest.onHeadersReceived((details, callback) => {
+  callback({
+    responseHeaders: {
+      ...details.responseHeaders,
+      'Content-Security-Policy': ['default-src \'none\'']
+      // Multiple policies are provided like this, going from specific to general
+      // 'Content-Security-Policy': ["img-src 'self'; script-src 'self' https://apis.example.com; default-src 'none'"]
+    }
   })
 })
 ```
 
+Note: `session.defaultSession` is only available when app is ready.
+
 #### CSP meta tag
 
 CSP's preferred delivery mechanism is an HTTP header. However, it is not possible
@@ -870,4 +861,4 @@ please see the [Context Isolation](context-isolation.md) document.
 [web-contents]: ../api/web-contents.md
 [window-open-handler]: ../api/web-contents.md#contentssetwindowopenhandlerhandler
 [will-navigate]: ../api/web-contents.md#event-will-navigate
-[open-external]: ../api/shell.md#shellopenexternalurl-options
+[open-external]: ../api/shell.md#shellopenexternalurl-options