Fix header value typo

Closes gh-11948

config/src/main/java/org/springframework/security/config/annotation/web/configurers/HeadersConfigurer.java

@@ -801,7 +801,7 @@ public class HeadersConfigurer<H extends HttpSecurityBuilder<H>>
 		 * replaced with "#". For example:
 		 *
 		 * <pre>
-		 * X-XSS-Protection: 1 ; mode=block
+		 * X-XSS-Protection: 1; mode=block
 		 * </pre>
 		 * @param headerValue the new header value
 		 * @since 5.8

config/src/test/java/org/springframework/security/config/web/server/HeaderSpecTests.java

@@ -75,7 +75,7 @@ public class HeaderSpecTests {
 		this.expectedHeaders.add(HttpHeaders.EXPIRES, "0");
 		this.expectedHeaders.add(ContentTypeOptionsServerHttpHeadersWriter.X_CONTENT_OPTIONS, "nosniff");
 		this.expectedHeaders.add(XFrameOptionsServerHttpHeadersWriter.X_FRAME_OPTIONS, "DENY");
-		this.expectedHeaders.add(XXssProtectionServerHttpHeadersWriter.X_XSS_PROTECTION, "1 ; mode=block");
+		this.expectedHeaders.add(XXssProtectionServerHttpHeadersWriter.X_XSS_PROTECTION, "1; mode=block");
 	}
 
 	@Test
@@ -320,7 +320,7 @@ public class HeaderSpecTests {
 
 	@Test
 	public void headersWhenXssProtectionValueEnabledModeBlockThenXssProtectionWritten() {
-		this.expectedHeaders.set(XXssProtectionServerHttpHeadersWriter.X_XSS_PROTECTION, "1 ; mode=block");
+		this.expectedHeaders.set(XXssProtectionServerHttpHeadersWriter.X_XSS_PROTECTION, "1; mode=block");
 		// @formatter:off
 		this.http.headers()
 				.xssProtection()

config/src/test/kotlin/org/springframework/security/config/web/server/ServerHeadersDslTests.kt

@@ -70,7 +70,7 @@ class ServerHeadersDslTests {
                 .expectHeader().valueEquals(HttpHeaders.CACHE_CONTROL, "no-cache, no-store, max-age=0, must-revalidate")
                 .expectHeader().valueEquals(HttpHeaders.EXPIRES, "0")
                 .expectHeader().valueEquals(HttpHeaders.PRAGMA, "no-cache")
-                .expectHeader().valueEquals(XXssProtectionServerHttpHeadersWriter.X_XSS_PROTECTION, "1 ; mode=block")
+                .expectHeader().valueEquals(XXssProtectionServerHttpHeadersWriter.X_XSS_PROTECTION, "1; mode=block")
     }
 
     @EnableWebFluxSecurity

config/src/test/kotlin/org/springframework/security/config/web/server/ServerHttpSecurityDslTests.kt

@@ -123,7 +123,7 @@ class ServerHttpSecurityDslTests {
                 .expectHeader().valueEquals(HttpHeaders.CACHE_CONTROL, "no-cache, no-store, max-age=0, must-revalidate")
                 .expectHeader().valueEquals(HttpHeaders.EXPIRES, "0")
                 .expectHeader().valueEquals(HttpHeaders.PRAGMA, "no-cache")
-                .expectHeader().valueEquals(XXssProtectionServerHttpHeadersWriter.X_XSS_PROTECTION, "1 ; mode=block")
+                .expectHeader().valueEquals(XXssProtectionServerHttpHeadersWriter.X_XSS_PROTECTION, "1; mode=block")
     }
 
     @EnableWebFluxSecurity

config/src/test/kotlin/org/springframework/security/config/web/server/ServerXssProtectionDslTests.kt

@@ -56,7 +56,7 @@ class ServerXssProtectionDslTests {
         this.client.get()
                 .uri("/")
                 .exchange()
-                .expectHeader().valueEquals(XXssProtectionServerHttpHeadersWriter.X_XSS_PROTECTION, "1 ; mode=block")
+                .expectHeader().valueEquals(XXssProtectionServerHttpHeadersWriter.X_XSS_PROTECTION, "1; mode=block")
     }
 
     @EnableWebFluxSecurity

web/src/main/java/org/springframework/security/web/header/writers/XXssProtectionHeaderWriter.java

@@ -122,7 +122,7 @@ public final class XXssProtectionHeaderWriter implements HeaderWriter {
 	 * specify mode as blocked. The content will be replaced with "#". For example:
 	 *
 	 * <pre>
-	 * X-XSS-Protection: 1 ; mode=block
+	 * X-XSS-Protection: 1; mode=block
 	 * </pre>
 	 * @param headerValue the new header value
 	 * @throws IllegalArgumentException when headerValue is null
@@ -134,7 +134,7 @@ public final class XXssProtectionHeaderWriter implements HeaderWriter {
 	}
 
 	/**
-	 * The value of the x-xss-protection header. One of: "0", "1", "1 ; mode=block"
+	 * The value of the x-xss-protection header. One of: "0", "1", "1; mode=block"
 	 *
 	 * @author Daniel Garnier-Moiroux
 	 * @since 5.8

web/src/main/java/org/springframework/security/web/server/header/XXssProtectionServerHttpHeadersWriter.java

@@ -122,7 +122,7 @@ public class XXssProtectionServerHttpHeadersWriter implements ServerHttpHeadersW
 	 * specify mode as blocked. The content will be replaced with "#". For example:
 	 *
 	 * <pre>
-	 * X-XSS-Protection: 1 ; mode=block
+	 * X-XSS-Protection: 1; mode=block
 	 * </pre>
 	 * @param headerValue the new headerValue
 	 * @throws IllegalArgumentException if headerValue is null
@@ -135,14 +135,14 @@ public class XXssProtectionServerHttpHeadersWriter implements ServerHttpHeadersW
 	}
 
 	/**
-	 * The value of the x-xss-protection header. One of: "0", "1", "1 ; mode=block"
+	 * The value of the x-xss-protection header. One of: "0", "1", "1; mode=block"
 	 *
 	 * @author Daniel Garnier-Moiroux
 	 * @since 5.8
 	 */
 	public enum HeaderValue {
 
-		DISABLED("0"), ENABLED("1"), ENABLED_MODE_BLOCK("1 ; mode=block");
+		DISABLED("0"), ENABLED("1"), ENABLED_MODE_BLOCK("1; mode=block");
 
 		private final String value;
 

web/src/test/java/org/springframework/security/web/server/header/XXssProtectionServerHttpHeadersWriterTests.java

@@ -49,7 +49,7 @@ public class XXssProtectionServerHttpHeadersWriterTests {
 		this.writer.writeHttpHeaders(this.exchange);
 		assertThat(this.headers).hasSize(1);
 		assertThat(this.headers.get(XXssProtectionServerHttpHeadersWriter.X_XSS_PROTECTION))
-			.containsOnly("1 ; mode=block");
+			.containsOnly("1; mode=block");
 	}
 
 	@Test
@@ -99,7 +99,7 @@ public class XXssProtectionServerHttpHeadersWriterTests {
 		this.writer.writeHttpHeaders(this.exchange);
 		assertThat(this.headers).hasSize(1);
 		assertThat(this.headers.get(XXssProtectionServerHttpHeadersWriter.X_XSS_PROTECTION))
-			.containsOnly("1 ; mode=block");
+			.containsOnly("1; mode=block");
 	}
 
 }