This broadens the suppression language to indicate that these aren't all false positives
As an example, adding a search.gov input will create a finding for lack of CSRF tokens. There isn't really risk associated with this (it's not a form submission) but the finding itself is valid even if the implementation is required.
Another example is CSP Headers: these aren't able to be set by end users, so a ZAP scan will flag this as a vulnerability. Users have no control over this particular setting but can gain CSP protection by adding meta tags with CSP rules.
Changes proposed in this pull request:
meta
tags with CSP rules.security considerations
Noted above