Merge branch '5.8.x' into 6.1.x

Closes gh-14345

config/src/main/java/org/springframework/security/config/annotation/web/configurers/HeadersConfigurer.java

@@ -823,7 +823,7 @@ public class HeadersConfigurer<H extends HttpSecurityBuilder<H>>
 		 * replaced with "#". For example:
 		 *
 		 * <pre>
-		 * X-XSS-Protection: 1 ; mode=block
+		 * X-XSS-Protection: 1; mode=block
 		 * </pre>
 		 * @param headerValue the new header value
 		 * @since 5.8

config/src/test/java/org/springframework/security/config/web/server/HeaderSpecTests.java

@@ -320,7 +320,7 @@ public class HeaderSpecTests {
 
 	@Test
 	public void headersWhenXssProtectionValueEnabledModeBlockThenXssProtectionWritten() {
-		this.expectedHeaders.set(XXssProtectionServerHttpHeadersWriter.X_XSS_PROTECTION, "1 ; mode=block");
+		this.expectedHeaders.set(XXssProtectionServerHttpHeadersWriter.X_XSS_PROTECTION, "1; mode=block");
 		// @formatter:off
 		this.http.headers()
 				.xssProtection()

web/src/main/java/org/springframework/security/web/header/writers/XXssProtectionHeaderWriter.java

@@ -74,7 +74,7 @@ public final class XXssProtectionHeaderWriter implements HeaderWriter {
 	 * specify mode as blocked. The content will be replaced with "#". For example:
 	 *
 	 * <pre>
-	 * X-XSS-Protection: 1 ; mode=block
+	 * X-XSS-Protection: 1; mode=block
 	 * </pre>
 	 * @param headerValue the new header value
 	 * @throws IllegalArgumentException when headerValue is null
@@ -86,7 +86,7 @@ public final class XXssProtectionHeaderWriter implements HeaderWriter {
 	}
 
 	/**
-	 * The value of the x-xss-protection header. One of: "0", "1", "1 ; mode=block"
+	 * The value of the x-xss-protection header. One of: "0", "1", "1; mode=block"
 	 *
 	 * @author Daniel Garnier-Moiroux
 	 * @since 5.8

web/src/main/java/org/springframework/security/web/server/header/XXssProtectionServerHttpHeadersWriter.java

@@ -73,7 +73,7 @@ public class XXssProtectionServerHttpHeadersWriter implements ServerHttpHeadersW
 	 * specify mode as blocked. The content will be replaced with "#". For example:
 	 *
 	 * <pre>
-	 * X-XSS-Protection: 1 ; mode=block
+	 * X-XSS-Protection: 1; mode=block
 	 * </pre>
 	 * @param headerValue the new headerValue
 	 * @throws IllegalArgumentException if headerValue is null
@@ -86,14 +86,14 @@ public class XXssProtectionServerHttpHeadersWriter implements ServerHttpHeadersW
 	}
 
 	/**
-	 * The value of the x-xss-protection header. One of: "0", "1", "1 ; mode=block"
+	 * The value of the x-xss-protection header. One of: "0", "1", "1; mode=block"
 	 *
 	 * @author Daniel Garnier-Moiroux
 	 * @since 5.8
 	 */
 	public enum HeaderValue {
 
-		DISABLED("0"), ENABLED("1"), ENABLED_MODE_BLOCK("1 ; mode=block");
+		DISABLED("0"), ENABLED("1"), ENABLED_MODE_BLOCK("1; mode=block");
 
 		private final String value;
 

web/src/test/java/org/springframework/security/web/server/header/XXssProtectionServerHttpHeadersWriterTests.java

@@ -82,7 +82,7 @@ public class XXssProtectionServerHttpHeadersWriterTests {
 		this.writer.writeHttpHeaders(this.exchange);
 		assertThat(this.headers).hasSize(1);
 		assertThat(this.headers.get(XXssProtectionServerHttpHeadersWriter.X_XSS_PROTECTION))
-			.containsOnly("1 ; mode=block");
+			.containsOnly("1; mode=block");
 	}
 
 }