Deprecate `DAST_BROWSER_ACTION_STABILITY_TIMEOUT`

Context

The DAST_BROWSER_ACTION_STABILITY_TIMEOUT variable was intended to be used as a buffer after performing an action (e.g. clicking a button) that does not transition the page, to make sure the page is stable before continuing. Unfortunately it is not reliable, since an action that does not transition the page may still spawn background requests that need to return before continuing. We have seen this occur in auth failures where the submit button spawns a background request to login, but because the page does not transition, the DAST_BROWSER_ACTION_STABILITY_TIMEOUT (which is less than a second by default) expires before the login completes.

By contrast, the DAST_BROWSER_NAVIGATION_STABILITY_TIMEOUT was intended to be used after performing an action that does transition the page; it is longer by default and waits for the page to transition. But it also waits for requests to be finished, while still continuing early if the page is found to be stable.

Decision

In Wait longer for background requests to finish (#425713 - closed) we made the decision to change the one place that uses DAST_BROWSER_ACTION_STABILITY_TIMEOUT to use DAST_BROWSER_NAVIGATION_STABILITY_TIMEOUT instead if it is greater (which it is by default). This essentially makes DAST_BROWSER_ACTION_STABILITY_TIMEOUT redundant. We will deprecate it in %16.6, stop using it in %17.0, and remove references to it after %17.0.

Implementation

  1. Write a warning to the log when DAST_BROWSER_ACTION_STABILITY_TIMEOUT has been set; possibly a stronger warning when DAST_BROWSER_ACTION_STABILITY_TIMEOUT is greater than DAST_BROWSER_NAVIGATION_STABILITY_TIMEOUT, since that will require action
    • Current version: "DAST_BROWSER_ACTION_STABILITY_TIMEOUT has been deprecated and will stop working in the next major version"
    • Next version: "DAST_BROWSER_ACTION_STABILITY_TIMEOUT has been deprecated and is no longer used"
  2. Update documentation to mark DAST_BROWSER_ACTION_STABILITY_TIMEOUT as deprecated
  3. Add to Dynamic Analysis 17.0 deprecations, removals an... (&11986 - closed)
    • Create a removal issue
Edited by David Nelson