Skip to content

Commit

Permalink
withHttpOnlyCookie defaults to false
Browse files Browse the repository at this point in the history 
Closes gh-13659
  • Loading branch information
@jzheaux
jzheaux committed Aug 28, 2023
1 parent bbf2dd7 commit a4d8c62
Show file tree
Hide file tree
Showing 2 changed files with 14 additions and 1 deletion.
2 changes: 1 addition & 1 deletion web/src/main/java/org/springframework/security/web/csrf/CookieCsrfTokenRepository.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -178,7 +178,7 @@ private String getRequestContext(HttpServletRequest request) {
*/
public static CookieCsrfTokenRepository withHttpOnlyFalse() {
CookieCsrfTokenRepository result = new CookieCsrfTokenRepository();
result.setCookieCustomizer((cookie) -> cookie.httpOnly(false));
result.cookieHttpOnly = false;
return result;
}

Expand Down
13 changes: 13 additions & 0 deletions web/src/test/java/org/springframework/security/web/csrf/CookieCsrfTokenRepositoryTests.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -423,6 +423,19 @@ void cookieCustomizer() {
assertThat(((MockCookie) tokenCookie).getSameSite()).isEqualTo(sameSitePolicy);
}

// gh-13659
@Test
void withHttpOnlyFalseWhenCookieCustomizerThenStillDefaultsToFalse() {
CookieCsrfTokenRepository repository = CookieCsrfTokenRepository.withHttpOnlyFalse();
repository.setCookieCustomizer((customizer) -> customizer.maxAge(1000));
CsrfToken token = repository.generateToken(this.request);
repository.saveToken(token, this.request, this.response);
Cookie tokenCookie = this.response.getCookie(CookieCsrfTokenRepository.DEFAULT_CSRF_COOKIE_NAME);
assertThat(tokenCookie).isNotNull();
assertThat(tokenCookie.getMaxAge()).isEqualTo(1000);
assertThat(tokenCookie.isHttpOnly()).isEqualTo(Boolean.FALSE);
}

@Test
void setCookieNameNullIllegalArgumentException() {
assertThatIllegalArgumentException().isThrownBy(() -> this.repository.setCookieName(null));
Expand Down

0 comments on commit a4d8c62

Please sign in to comment.