From 86601932cdeb4fb2aa347841769e96d2168d5d7b Mon Sep 17 00:00:00 2001 From: Thomas Landauer Date: Mon, 8 Sep 2025 14:12:48 +0200 Subject: [PATCH] [AssetMapper] Adding info for CSP, recommending `script-src 'strict-dynamic'` Page: https://symfony.com/doc/6.4/frontend/asset_mapper.html#handling-css I think there should be a clear recommendation for people using a Content-Security-Policy. Is `script-src 'strict-dynamic'` really the way to go? It's not possible for AssetMapper to just omit those empty entries, is it? --- frontend/asset_mapper.rst | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/frontend/asset_mapper.rst b/frontend/asset_mapper.rst index 6f045938339..f3a4b376e75 100644 --- a/frontend/asset_mapper.rst +++ b/frontend/asset_mapper.rst @@ -476,10 +476,14 @@ the page as ``link`` tags in the order they were imported. .. note:: Importing a CSS file is *not* something that is natively supported by - JavaScript modules. AssetMapper makes this work by adding a special importmap - entry for each CSS file. These special entries are valid, but do nothing. + JavaScript modules. AssetMapper makes this work by adding an empty importmap + entry for each CSS file, e.g. ``"/assets/app.css": "data:application/javascript,",``. + These special entries are valid, but do nothing. AssetMapper adds a ```` tag for each CSS file, but when JavaScript executes the ``import`` statement, nothing additional happens. + When using a **Content-Security-Policy** with ``script-src 'self'``, this + will trigger an error because of the ``data:`` URL. You can either just + ignore the error, or lower the rule to ``script-src 'strict-dynamic'``. .. _asset-mapper-3rd-party-css: