Remove CSP rule from DAST (!78462) · Merge requests · GitLab.org / GitLab

Dominic Couture requested to merge dcouture-dast-csp into master Jan 18, 2022

What does this MR do and why?

Several thousand findings were added to the vulnerability report in the last couple of days. Those findings are all like this one: https://gitlab.com/gitlab-org/gitlab/-/security/vulnerabilities/30899877

The fact that the CSP isn't enabled by default on self-managed instances (the review apps) is known and those issues only add noise to the vulnerability report. I am disabling this rule and will add an issue to Content Security Policy improvements (&6363) to re-enable it when we're ready if this gets merged.

The rule 10055 that I'm disabling is https://www.zaproxy.org/docs/alerts/10055/

Screenshots or screen recordings

These are strongly recommended to assist reviewers and reduce the time to merge your change.

How to set up and validate locally

Can't validate locally, but we can observe that th

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

I have evaluated the MR acceptance checklist for this MR.

Edited Jan 18, 2022 by Dominic Couture

Remove CSP rule from DAST

What does this MR do and why?

Screenshots or screen recordings

How to set up and validate locally

MR acceptance checklist

Merge request reports