Wait longer for background requests to finish

Context

We have had several support cases recently where authentication was failing because DAST was not waiting long enough for the login to complete. I believe that these cases stem from the fact that when the login button is pressed but the page is not transitioning - e.g. because a request is being made in the background - DAST only waits 800 milliseconds by default (the value of the DAST_BROWSER_ACTION_STABILITY_TIMEOUT variable) before continuing to the next action. This is in contrast to when a page is transitioning, when DAST waits 6 seconds by default (the value of the DAST_BROWSER_NAVIGATION_STABILITY_TIMEOUT variable) for the transition to complete.

• https://gitlab.com/gitlab-com/sec-sub-department/section-sec-request-for-help/-/issues/70
• https://gitlab.com/gitlab-com/sec-sub-department/section-sec-request-for-help/-/issues/99
• there's another one I remember seeing but can't find at the moment...

Note that this likely affects non-auth scenarios too, but those will generally not cause a hard failure. It's the auth failures that we get support tickets for. So the same issue may be causing scan degradation that we don't have visibility to.

Proposal

When a page is not transitioning, and a wait based on DAST_BROWSER_ACTION_STABILITY_TIMEOUT is occurring, if a new background request is detected during that window, upgrade the wait to use DAST_BROWSER_NAVIGATION_STABILITY_TIMEOUT instead.

Use WaitAfterNavigation() instead of WaitAfterAction() to determine how long to wait after a navigation interaction. This makes better use of all of the available heuristics to determine whether the page is ready to continue, instead of putting most of the weight on whether the page is transitioning.

Implementation

1. In Tab.navigationWait, instead of passing t.timeoutConfig.WaitAfterAction() to the domStableAfter parameter of WaitStable, pass the greater of t.timeoutConfig.WaitAfterAction() and t.timeoutConfig.WaitAfterNavigation().
2. Add a switch to start passing only t.timeoutConfig.WaitAfterNavigation() when the browserker major version changes.
3. [ ] Deprecate DAST_BROWSER_ACTION_STABILITY_TIMEOUT (add to Dynamic Analysis 17.0 deprecations, removals an... (#422907 - closed))
4. [ ] Write a warning to the log when DAST_BROWSER_ACTION_STABILITY_TIMEOUT has been set; possibly a stronger warning when DAST_BROWSER_ACTION_STABILITY_TIMEOUT is greater than DAST_BROWSER_NAVIGATION_STABILITY_TIMEOUT, since that will require action

Deprecation moved to Deprecate `DAST_BROWSER_ACTION_STABILITY_TIMEOUT` (#428112 - closed)