Remove Servlet Spec 2.5 and 3.0 Support for CSRF

Related to #6220 

The `CookieCsrfTokenRepository` attempts to [use the `setHttpOnly` method only if that method is available in `javax.servlet.http.Cookie`](https://github.com/spring-projects/spring-security/blob/master/web/src/main/java/org/springframework/security/web/csrf/CookieCsrfTokenRepository.java#L59).

Since Spring Framework 5.0 has a Servlet Spec baseline of 3.1, this check is no longer necessary.

We should always use the `setHttpOnly` method and remove [any corresponding Servlet 2.5 or 3.0 tests](https://github.com/spring-projects/spring-security/blob/master/web/src/test/java/org/springframework/security/web/csrf/CookieCsrfTokenRepositoryServlet3Tests.java).

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Remove Servlet Spec 2.5 and 3.0 Support for CSRF #6262

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Remove Servlet Spec 2.5 and 3.0 Support for CSRF #6262

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions