Description
Expected Behavior
The class org.springframework.security.web.csrf.CookieCsrfTokenRepository should allow settingset the SameSite policy as an optional parameter; with this, when sending the CSRF token in a cookie instead of a header, no warning or error should be displayed in the browser's console.
Current Behavior
With the current implementation of org.springframework.security.web.csrf.CookieCsrfTokenRepository used to send the CSRF token in a cookie instead of a header (widely used when working with, for example JWT), some browsers have started to report a warning stating that:
Cookie “XSRF-TOKEN” does not have a proper “SameSite” attribute value. Soon, cookies without the “SameSite” attribute or with an invalid value will be treated as “Lax”. This means that the cookie will no longer be sent in third-party contexts. If your application depends on this cookie being available in such contexts, please add the “SameSite=None“ attribute to it. To know more about the “SameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite
This same behavior happens for each response that includes the cookies (potentially every single request other than the login).
Currently, there is o way no set the SameSite policy in the class org.springframework.security.web.csrf.CookieCsrfTokenRepository as internally it uses a jakarta.servlet.http.Cookie which doesn't allows it either.
Context
I've started to see the previous message in the browser's console.
I don't know any workaround other than implementing my own version of org.springframework.security.web.csrf.CookieCsrfTokenRepository with the option of adding the SameSite policy, but I guess that this "problem" is affecting others the same way that is affecting me.