Spring Security CsrfTokenRequestAttributeHandler documentation should reflect that default is XorCsrfTokenRequestAttributeHandler

Hello,

The documentation for "Configuring CsrfTokenRequestAttributeHandler" here (github link here) currently says that the default implementation is CsrfTokenRequestAttributeHandler (i.e. the one before Spring Security 6.x).

Unless I'm mistaken, I believe the new default is XorCsrfTokenRequestAttributeHandler which seems to be the case since gh-11960.

Comment From: GijsCalis

This should also get mentioned in the migration guide to Spring Security 6.x as this is a breaking change for at least applications using Angular.

Comment From: sjohnr

Thanks @mdadoua! I'll look into this, as I thought I had made this update but evidently forgot to do so. If you're interested in submitting a PR, let me know!

@GijsCalis, note that the 6.0 migration guide mentions following steps in the 5.8 migration guide first. Check out I am using AngularJS or another Javascript framework in the 5.8 migration guide.