Prevent caching of non-document requests in HttpSessionRequestCache

Signed-off-by: Andrey Litvitski <[email protected]>

Author: therepanic

web/src/main/java/org/springframework/security/web/savedrequest/HttpSessionRequestCache.java

@@ -50,7 +50,7 @@ public class HttpSessionRequestCache implements RequestCache {
 
 	private boolean createSessionAllowed = true;
 
-	private RequestMatcher requestMatcher = AnyRequestMatcher.INSTANCE;
+	private RequestMatcher requestMatcher = new SecFetchDestRequestMatcher();
 
 	private String sessionAttrName = SAVED_REQUEST;
 

web/src/main/java/org/springframework/security/web/savedrequest/SecFetchDestRequestMatcher.java

@@ -0,0 +1,28 @@
+/*
+ * Copyright 2004, 2005, 2006 Acegi Technology Pty Limited
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.web.savedrequest;
+
+import jakarta.servlet.http.HttpServletRequest;
+import org.springframework.security.web.util.matcher.RequestMatcher;
+
+public class SecFetchDestRequestMatcher  implements RequestMatcher {
+	@Override
+	public boolean matches(HttpServletRequest request) {
+		String secFetchDest = request.getHeader("Sec-Fetch-Dest");
+		return "document".equals(secFetchDest);
+	}
+}