Beta exposes access key when preview is turned off

[scb-mchaines]

On the latest beta release, it looks like there is some risk of publicly exposing access keys. Steps:

1. npm install with the affected version "gatsby-source-prismic-graphql": "^3.4.0-beta.2"
2. build with gatsby-source-prismic-graphl config indicating previews: false. Mine looks something like:

    {
      resolve: 'gatsby-source-prismic-graphql',
        options: {
          repositoryName: 'my-repository',
          accessToken: 'secret-access-token',
          path: '/preview',
          previews: false,
          pages: [{ 
            type: 'Page',
            match: '/:uid',
            path: '/',
            component: require.resolve('./src/components/page.js'),
        }]
      }
    }

3. Serve the public directory, and check window.prismicGatsbyOptions.accessToken in the js console of the page. In my case, this exposes the access key.

Originally posted by @scb-mchaines in #45 (comment)

[andyto]

What the purpose of window.prismic and window.prismicGatsbyOptions in a production build without a preview?