CsrfTokenRequestAttributeHandler documentation should reflect that default is XorCsrfTokenRequestAttributeHandler

[mdadoua]

Hello,

The documentation for "Configuring CsrfTokenRequestAttributeHandler" here (github link here) currently says that the default implementation is CsrfTokenRequestAttributeHandler (i.e. the one before Spring Security 6.x).

Unless I'm mistaken, I believe the new default is XorCsrfTokenRequestAttributeHandler which seems to be the case since gh-11960.

[GijsCalis]

This should also get mentioned in the migration guide to Spring Security 6.x as this is a breaking change for at least applications using Angular.

[sjohnr]

Thanks @mdadoua! I'll look into this, as I thought I had made this update but evidently forgot to do so. If you're interested in submitting a PR, let me know!

@GijsCalis, note that the 6.0 migration guide mentions following steps in the 5.8 migration guide first. Check out I am using AngularJS or another Javascript framework in the 5.8 migration guide.