From 741bdcff62e274fc2c5ec76b2f17448c3ce6330d Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Mon, 21 Aug 2023 17:42:14 +0000 Subject: [PATCH 1/3] Release 6.1.3 --- gradle.properties | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/gradle.properties b/gradle.properties index a61091e3ce..5389b03525 100644 --- a/gradle.properties +++ b/gradle.properties @@ -5,7 +5,7 @@ springBootVersion=3.1.1 springFrameworkVersion=6.0.11 micrometerVersion=1.10.10 openSamlVersion=4.1.1 -version=6.1.3-SNAPSHOT +version=6.1.3 kotlinVersion=1.8.22 samplesBranch=main org.gradle.jvmargs=-Xmx3g -XX:+HeapDumpOnOutOfMemoryError From bbf2dd70917998609cde8b22e93aab2d971cc685 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Mon, 21 Aug 2023 18:19:39 +0000 Subject: [PATCH 2/3] Next development version --- gradle.properties | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/gradle.properties b/gradle.properties index 5389b03525..dd968a7edc 100644 --- a/gradle.properties +++ b/gradle.properties @@ -5,7 +5,7 @@ springBootVersion=3.1.1 springFrameworkVersion=6.0.11 micrometerVersion=1.10.10 openSamlVersion=4.1.1 -version=6.1.3 +version=6.1.4-SNAPSHOT kotlinVersion=1.8.22 samplesBranch=main org.gradle.jvmargs=-Xmx3g -XX:+HeapDumpOnOutOfMemoryError From a4d8c62ad73cb07490964427ea5ec63b9c43db9a Mon Sep 17 00:00:00 2001 From: Josh Cummings Date: Mon, 28 Aug 2023 16:58:28 -0600 Subject: [PATCH 3/3] withHttpOnlyCookie defaults to false Closes gh-13659 --- .../web/csrf/CookieCsrfTokenRepository.java | 2 +- .../web/csrf/CookieCsrfTokenRepositoryTests.java | 13 +++++++++++++ 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/web/src/main/java/org/springframework/security/web/csrf/CookieCsrfTokenRepository.java b/web/src/main/java/org/springframework/security/web/csrf/CookieCsrfTokenRepository.java index d7ce834da6..15d9fbb44c 100644 --- a/web/src/main/java/org/springframework/security/web/csrf/CookieCsrfTokenRepository.java +++ b/web/src/main/java/org/springframework/security/web/csrf/CookieCsrfTokenRepository.java @@ -178,7 +178,7 @@ public final class CookieCsrfTokenRepository implements CsrfTokenRepository { */ public static CookieCsrfTokenRepository withHttpOnlyFalse() { CookieCsrfTokenRepository result = new CookieCsrfTokenRepository(); - result.setCookieCustomizer((cookie) -> cookie.httpOnly(false)); + result.cookieHttpOnly = false; return result; } diff --git a/web/src/test/java/org/springframework/security/web/csrf/CookieCsrfTokenRepositoryTests.java b/web/src/test/java/org/springframework/security/web/csrf/CookieCsrfTokenRepositoryTests.java index 79a64198a2..5587bb5c09 100644 --- a/web/src/test/java/org/springframework/security/web/csrf/CookieCsrfTokenRepositoryTests.java +++ b/web/src/test/java/org/springframework/security/web/csrf/CookieCsrfTokenRepositoryTests.java @@ -423,6 +423,19 @@ class CookieCsrfTokenRepositoryTests { assertThat(((MockCookie) tokenCookie).getSameSite()).isEqualTo(sameSitePolicy); } + // gh-13659 + @Test + void withHttpOnlyFalseWhenCookieCustomizerThenStillDefaultsToFalse() { + CookieCsrfTokenRepository repository = CookieCsrfTokenRepository.withHttpOnlyFalse(); + repository.setCookieCustomizer((customizer) -> customizer.maxAge(1000)); + CsrfToken token = repository.generateToken(this.request); + repository.saveToken(token, this.request, this.response); + Cookie tokenCookie = this.response.getCookie(CookieCsrfTokenRepository.DEFAULT_CSRF_COOKIE_NAME); + assertThat(tokenCookie).isNotNull(); + assertThat(tokenCookie.getMaxAge()).isEqualTo(1000); + assertThat(tokenCookie.isHttpOnly()).isEqualTo(Boolean.FALSE); + } + @Test void setCookieNameNullIllegalArgumentException() { assertThatIllegalArgumentException().isThrownBy(() -> this.repository.setCookieName(null));