5 月之前 · 857ef6fe08
--- a/web/src/main/java/org/springframework/security/web/server/csrf/CookieServerCsrfTokenRepository.java
+++ b/web/src/main/java/org/springframework/security/web/server/csrf/CookieServerCsrfTokenRepository.java
@@ -1,5 +1,5 @@
 
				 /*
			
 
				- * Copyright 2002-2022 the original author or authors.
			
 
				+ * Copyright 2002-2025 the original author or authors.
			
 
				  *
			
 
				  * Licensed under the Apache License, Version 2.0 (the "License");
			
 
				  * you may not use this file except in compliance with the License.
			
@@ -84,7 +84,7 @@ public final class CookieServerCsrfTokenRepository implements ServerCsrfTokenRep
 
				 	 */
			
 
				 	public static CookieServerCsrfTokenRepository withHttpOnlyFalse() {
			
 
				 		CookieServerCsrfTokenRepository result = new CookieServerCsrfTokenRepository();
			
 
				-		result.setCookieCustomizer((cookie) -> cookie.httpOnly(false));
			
 
				+		result.cookieHttpOnly = false;
			
 
				 		return result;
			
 
				 	}
			
 
				 
			
--- a/web/src/test/java/org/springframework/security/web/server/csrf/CookieServerCsrfTokenRepositoryTests.java
+++ b/web/src/test/java/org/springframework/security/web/server/csrf/CookieServerCsrfTokenRepositoryTests.java
@@ -1,5 +1,5 @@
 
				 /*
			
 
				- * Copyright 2002-2022 the original author or authors.
			
 
				+ * Copyright 2002-2025 the original author or authors.
			
 
				  *
			
 
				  * Licensed under the Apache License, Version 2.0 (the "License");
			
 
				  * you may not use this file except in compliance with the License.
			
@@ -290,6 +290,21 @@ class CookieServerCsrfTokenRepositoryTests {
 
				 		loadAndAssertExpectedValues();
			
 
				 	}
			
 
				 
			
 
				+	// gh-16820
			
 
				+	@Test
			
 
				+	void withHttpOnlyFalseWhenCookieCustomizerThenStillDefaultsToFalse() {
			
 
				+		CookieServerCsrfTokenRepository repository = CookieServerCsrfTokenRepository.withHttpOnlyFalse();
			
 
				+		repository.setCookieCustomizer((customizer) -> customizer.maxAge(1000));
			
 
				+		MockServerHttpRequest.BaseBuilder<?> request = MockServerHttpRequest.get("/dummy");
			
 
				+		MockServerWebExchange exchange = MockServerWebExchange.from(request);
			
 
				+		CsrfToken csrfToken = repository.generateToken(exchange).block();
			
 
				+		repository.saveToken(exchange, csrfToken).block();
			
 
				+		ResponseCookie cookie = exchange.getResponse().getCookies().getFirst("XSRF-TOKEN");
			
 
				+		assertThat(cookie).isNotNull();
			
 
				+		assertThat(cookie.getMaxAge().getSeconds()).isEqualTo(1000);
			
 
				+		assertThat(cookie.isHttpOnly()).isEqualTo(Boolean.FALSE);
			
 
				+	}
			
 
				+
			
 
				 	private void setExpectedHeaderName(String expectedHeaderName) {
			
 
				 		this.csrfTokenRepository.setHeaderName(expectedHeaderName);
			
 
				 		this.expectedHeaderName = expectedHeaderName;