False Positive ZAP doesn't detect the Content-Security-Policy header in the Meta tag

Describe the bug

Passive (10038 - Content Security Policy (CSP) Header Not Set) is being triggered even though the Content Security Policy has been set in the <meta> tag which is valid usage according to Content-security-policy.com. Not all developers have access to the HTTP headers of their application, for example with proxies or microservices, so some will choose to set the tag in the <meta> instead of in HTTP headers.

https://content-security-policy.com/examples/meta/

Steps to reproduce the behavior

• Create a site with the Content-Security-Policy in the <meta> tag
• Let ZAP perform a passive scan
• Alert Passive (10038 - Content Security Policy (CSP) Header Not Set) pops up
• Observe the response containing the Content Security Policy in the <meta> tag

Expected behavior

ZAP shouldn’t throw an alert when the Content-Security-Policy has been added to <meta>

Software versions

OWASP ZAP Version: D-2022-05-23

Installed Add-ons: [[id=accessControl, version=8.0.0], [id=alertFilters, version=14.0.0], [id=ascanrules, version=47.0.0], [id=ascanrulesAlpha, version=38.0.0], [id=ascanrulesBeta, version=41.0.0], [id=attacksurfacedetector, version=1.1.4], [id=authstats, version=2.0.0], [id=automation, version=0.16.0], [id=bruteforce, version=12.0.0], [id=callhome, version=0.4.0], [id=commonlib, version=1.10.0], [id=coreLang, version=16.0.0], [id=custompayloads, version=0.11.0], [id=diff, version=12.0.0], [id=directorylistv1, version=6.0.0], [id=directorylistv2_3, version=4.0.0], [id=directorylistv2_3_lc, version=4.0.0], [id=domxss, version=13.0.0], [id=encoder, version=0.7.0], [id=exim, version=0.2.0], [id=formhandler, version=5.0.0], [id=fuzz, version=13.7.0], [id=gettingStarted, version=14.0.0], [id=graaljs, version=0.3.0], [id=graphql, version=0.10.0], [id=help, version=15.0.0], [id=hud, version=0.14.0], [id=imagelocationscanner, version=3.0.0], [id=invoke, version=12.0.0], [id=jsonview, version=2.0.0], [id=network, version=0.3.0], [id=oast, version=0.11.0], [id=onlineMenu, version=10.0.0], [id=openapi, version=28.0.0], [id=plugnhack, version=13.0.0], [id=portscan, version=10.0.0], [id=pscanrules, version=41.0.0], [id=pscanrulesAlpha, version=35.0.0], [id=pscanrulesBeta, version=30.0.0], [id=quickstart, version=34.0.0], [id=reflect, version=0.0.11], [id=regextester, version=2.0.0], [id=replacer, version=10.0.0], [id=reports, version=0.14.0], [id=requester, version=6.0.0], [id=retest, version=0.3.0], [id=retire, version=0.12.0], [id=reveal, version=5.0.0], [id=revisit, version=4.0.0], [id=scripts, version=31.0.0], [id=selenium, version=15.10.0], [id=sequence, version=7.0.0], [id=soap, version=14.0.0], [id=spiderAjax, version=23.8.0], [id=sqliplugin, version=15.0.0], [id=tips, version=10.0.0], [id=tokengen, version=15.0.0], [id=treetools, version=8.0.0], [id=wappalyzer, version=21.10.0], [id=webdriverlinux, version=39.0.0], [id=webdrivermacos, version=40.0.0], [id=webdriverwindows, version=39.0.0], [id=websocket, version=27.0.0], [id=zest, version=36.0.0]]

Operating System: Windows 10 Java Version: Eclipse Adoptium 17.0.3 System’s Locale: en_US Display Locale: en_GB Format Locale: en_US Default Charset: windows-1252 ZAP Home Directory: C:\Users$USER\OWASP ZAP_D
ZAP Installation Directory: C:\Users$USER\LocalPrograms\ZAPWeekly\ZAP_D-2022-05-23.
Look and Feel: FlatLaf Light (com.formdev.flatlaf.FlatLightLaf)

Screenshots

Errors from the zap.log file

No relevant errors in the ZAP error log as this is a detection issue.

Additional context

no additional context

Would you like to help fix this issue?

• Yes