Resolving invalid CSRF token values is not consistent

[sjohnr]

Describe the bug

When CSRF tokens are modified client-side, resolving token values with the Xor* implementations is not consistent:

• When the expected token (stored via CsrfToken) is shorter than the provided token, a token of arbitrary length is resolved
• When the expected token (stored via CsrfToken) is longer than the provided token, an ArrayIndexOutOfBoundsException is thrown

Expected behavior

When CSRF tokens are modified client-side, resolving CSRF token values should be consistent:

• When the expected token is shorter than the provided token, the token should be resolved as null
• When the expected token is longer than the provided token, the token should be resolved as null

Additionally, we should ensure the following edge cases are covered:

• When a single byte is added to the encoded token, the token should be resolved as null and no ArrayIndexOutOfBoundsException is thrown
• When a single byte is removed from the encoded token, the token should be resolved as null and no ArrayIndexOutOfBoundsException is thrown

Context

This issue was originally reported via gh-13310 and partially resolved in 6.2.0.

[sjohnr]

See this comment for more info.