Spring Security CookieCsrfTokenRepository resets httpOnly to true in case a cookieCustomizer is set

https://github.com/spring-projects/spring-security/blob/8d58113b61f2a0d8fa5d563faf53d59a83dab673/web/src/main/java/org/springframework/security/web/csrf/CookieCsrfTokenRepository.java#L179-L183

The withHttpOnlyFalse() factory method does lead to unexpected behavior if a customizer is set as the default httpOnly=true is set again and not reset in https://github.com/spring-projects/spring-security/blob/8d58113b61f2a0d8fa5d563faf53d59a83dab673/web/src/main/java/org/springframework/security/web/csrf/CookieCsrfTokenRepository.java#L98

Comment From: jzheaux

Thanks, good catch @stipx. This will go into the next maintenance release.