Hello everyone,

I have a question regarding Symfony UX Live Components and forms.

Context:

Imagine you have a Parent Component and a nested Child Component.Both areLive Components and both includeSymfony FORMS (FormBuilder). However, the submit button for the child’s form is located in the Parent Component, and I use a LiveComponent emit to dispatch an event that the child’s save method listens for.

Although the event arrives correctly, I get an Invalid CSRF-TOKEN error coming from the child component.

While investigating, I discovered that Turbo UX uses the csrf_protection_controller.js Stimulus controller to generate a CSRF token. What does this imply? Must I disable Symfony’s default CSRF token handling for forms?

In my csrf.yaml, I currently have:

# Enable stateless CSRF protection for forms and logins/logoutsframework:form:csrf_protection:token_id:submitcsrf_protection:check_header:truestateless_token_ids:# - submit            -authenticate            -logout

When I disable the submit entry under stateless_token_ids, the form no longer raises a CSRF error. If I inspect the Symfony Profiler (under the child’s save request → Forms), it shows :

Does the CSRF token still exist, and should I therefore leave submit disabled in csrf.yaml?

Why aren’t there clear references or documentation explaining that Turbo UX uses its own controller for token generation and CSRF handling?

Thank you very much!