My security configuration has a following line:
...csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())...
Which sends a csrf cookie with every request back to client. This cookie has no same-site attribute set. Is it possible to add the same-site attribute as well? I looked around some methods inside that class and there is nothing about extra attributes to my knowledge.
How can this be done?
Unfortunately, as of version 4.0.1, the servlet-api doesn't allow you to add the Same-Site attribute to a Cookie. Hopefully this will change soon.
But in the meantime, you could provide your own CsrfTokenRepository implementation that instead of adding a Cookie to the HttpServletResponse (and thus being limited by the servlet-api's representation of a cookie), sets the cookie directly in HTTP header:
public class CustomCsrfTokenRepository implements CsrfTokenRepository {
// implement other methods...
@Override
public void saveToken(CsrfToken token, HttpServletRequest request,
HttpServletResponse response) {
// some version of this:
response.setHeader("Set-Cookie", "HttpOnly; SameSite=strict");
}
}
You can take a look at CookieCsrfTokenRepository to fill in the gaps.