WithHttpOnlyCookie defaults to false

kse-music · jzheaux · commit 857ef6fe087f · 2025-04-01T11:59:51.000-06:00
Closes gh-16820 Signed-off-by: DingHao <dh.hiekn@gmail.com>
diff --git a/web/src/main/java/org/springframework/security/web/server/csrf/CookieServerCsrfTokenRepository.java b/web/src/main/java/org/springframework/security/web/server/csrf/CookieServerCsrfTokenRepository.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2022 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -84,7 +84,7 @@ public void setCookieCustomizer(Consumer<ResponseCookie.ResponseCookieBuilder> c
 	 */
 	public static CookieServerCsrfTokenRepository withHttpOnlyFalse() {
 		CookieServerCsrfTokenRepository result = new CookieServerCsrfTokenRepository();
-		result.setCookieCustomizer((cookie) -> cookie.httpOnly(false));
+		result.cookieHttpOnly = false;
 		return result;
 	}
 
diff --git a/web/src/test/java/org/springframework/security/web/server/csrf/CookieServerCsrfTokenRepositoryTests.java b/web/src/test/java/org/springframework/security/web/server/csrf/CookieServerCsrfTokenRepositoryTests.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2022 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -290,6 +290,21 @@ void loadTokenWhenCookieExistsWithNullValue() {
 		loadAndAssertExpectedValues();
 	}
 
+	// gh-16820
+	@Test
+	void withHttpOnlyFalseWhenCookieCustomizerThenStillDefaultsToFalse() {
+		CookieServerCsrfTokenRepository repository = CookieServerCsrfTokenRepository.withHttpOnlyFalse();
+		repository.setCookieCustomizer((customizer) -> customizer.maxAge(1000));
+		MockServerHttpRequest.BaseBuilder<?> request = MockServerHttpRequest.get("/dummy");
+		MockServerWebExchange exchange = MockServerWebExchange.from(request);
+		CsrfToken csrfToken = repository.generateToken(exchange).block();
+		repository.saveToken(exchange, csrfToken).block();
+		ResponseCookie cookie = exchange.getResponse().getCookies().getFirst("XSRF-TOKEN");
+		assertThat(cookie).isNotNull();
+		assertThat(cookie.getMaxAge().getSeconds()).isEqualTo(1000);
+		assertThat(cookie.isHttpOnly()).isEqualTo(Boolean.FALSE);
+	}
+
 	private void setExpectedHeaderName(String expectedHeaderName) {
 		this.csrfTokenRepository.setHeaderName(expectedHeaderName);
 		this.expectedHeaderName = expectedHeaderName;

Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,5 @@`
`1`	`1`	`/*`
`2`		`- * Copyright 2002-2022 the original author or authors.`
	`2`	`+ * Copyright 2002-2025 the original author or authors.`
`3`	`3`	`*`
`4`	`4`	`* Licensed under the Apache License, Version 2.0 (the "License");`
`5`	`5`	`* you may not use this file except in compliance with the License.`
`@@ -84,7 +84,7 @@ public void setCookieCustomizer(Consumer<ResponseCookie.ResponseCookieBuilder> c`
`84`	`84`	`*/`
`85`	`85`	`public static CookieServerCsrfTokenRepository withHttpOnlyFalse() {`
`86`	`86`	`CookieServerCsrfTokenRepository result = new CookieServerCsrfTokenRepository();`
`87`		`- result.setCookieCustomizer((cookie) -> cookie.httpOnly(false));`
	`87`	`+ result.cookieHttpOnly = false;`
`88`	`88`	`return result;`
`89`	`89`	`}`
`90`	`90`