Remove CSP rule from DAST
What does this MR do and why?
Several thousand findings were added to the vulnerability report in the last couple of days. Those findings are all like this one: https://gitlab.com/gitlab-org/gitlab/-/security/vulnerabilities/30899877
The fact that the CSP isn't enabled by default on self-managed instances (the review apps) is known and those issues only add noise to the vulnerability report. I am disabling this rule and will add an issue to Content Security Policy improvements (&6363) to re-enable it when we're ready if this gets merged.
The rule 10055 that I'm disabling is https://www.zaproxy.org/docs/alerts/10055/
Screenshots or screen recordings
These are strongly recommended to assist reviewers and reduce the time to merge your change.
How to set up and validate locally
Can't validate locally, but we can observe that th
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.