My security configuration has a following line:
...csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())...
Which sends a csrf cookie with every request back to client. This cookie has no same-site attribute set. Is it possible to add the same-site attribute as well? I looked around some methods inside that class and there is nothing about extra attributes to my knowledge.
How can this be done?
Unfortunately, as of version 4.0.1, the servlet-api
doesn't allow you to add the Same-Site
attribute to a Cookie
. Hopefully this will change soon.
But in the meantime, you could provide your own CsrfTokenRepository
implementation that instead of adding a Cookie
to the HttpServletResponse
(and thus being limited by the servlet-api's representation of a cookie), sets the cookie directly in HTTP header:
public class CustomCsrfTokenRepository implements CsrfTokenRepository {
// implement other methods...
@Override
public void saveToken(CsrfToken token, HttpServletRequest request,
HttpServletResponse response) {
// some version of this:
response.setHeader("Set-Cookie", "HttpOnly; SameSite=strict");
}
}
You can take a look at CookieCsrfTokenRepository
to fill in the gaps.