Uh oh!
There was an error while loading.Please reload this page.
- Notifications
You must be signed in to change notification settings - Fork5.3k
[AssetMapper] Adding CSP details, recommendingscript-src 'strict-dynamic'#21356
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.
Already on GitHub?Sign in to your account
base:6.4
Are you sure you want to change the base?
Conversation
…ynamic'`Page:https://symfony.com/doc/6.4/frontend/asset_mapper.html#handling-cssI think there should be a clear recommendation for people using a Content-Security-Policy.Is `script-src 'strict-dynamic'` really the way to go? It's not possible for AssetMapper to just omit those empty entries, is it?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Pull Request Overview
This PR adds important Content-Security-Policy (CSP) documentation to the AssetMapper section, specifically addressing issues that occur when usingscript-src 'self' with CSS imports. The change clarifies how AssetMapper handles CSS imports through empty importmap entries and provides guidance for CSP configuration.
- Explains how AssetMapper creates empty importmap entries for CSS files using
data:URLs - Documents the CSP conflict that occurs with
script-src 'self'when importing CSS files - Recommends using
script-src 'strict-dynamic'as a solution to CSP issues
Tip: Customize your code reviews with copilot-instructions.md.Create the file orlearn how to get started.
| executes the ``import`` statement, nothing additional happens. | ||
| When using a **Content-Security-Policy** with ``script-src 'self'``, this | ||
| will trigger an error because of the ``data:`` URL. You can either just | ||
| ignore the error, or lower the rule to ``script-src 'strict-dynamic'``. |
CopilotAISep 9, 2025
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
[nitpick] The phrase 'lower the rule' is unclear and potentially confusing. Using 'strict-dynamic' is not necessarily 'lowering' security - it's a different security model. Consider rephrasing to 'change the rule to' or 'use' instead of 'lower the rule to'.
| ignore the error, orlower the rule to ``script-src 'strict-dynamic'``. | |
| ignore the error, orchange the rule to ``script-src 'strict-dynamic'``. |
Copilot uses AI. Check for mistakes.
Uh oh!
There was an error while loading.Please reload this page.
Page:https://symfony.com/doc/6.4/frontend/asset_mapper.html#handling-css
I think there should be a clear recommendation for people using a Content-Security-Policy. Is
script-src 'strict-dynamic'really the way to go? It's not possible for AssetMapper to just omit those empty CSS entries, is it? Or change them to"/assets/app.css": ""?(The info is taken fromsymfony/symfony#58416 (comment))