I have a question regarding Symfony UX Live Components and forms.
Context:
Imagine you have a Parent Component and a nested Child Component. Both are Live Components and both include Symfony FORMS (FormBuilder). However, the submit button for the child’s form is located in the Parent Component, and I use a LiveComponent emit to dispatch an event that the child’s save method listens for.
Although the event arrives correctly, I get an Invalid CSRF-TOKEN error coming from the child component.
While investigating, I discovered that Turbo UX uses the csrf_protection_controller.js Stimulus controller to generate a CSRF token. What does this imply? Must I disable Symfony’s default CSRF token handling for forms?
In my csrf.yaml, I currently have:
# Enable stateless CSRF protection for forms and logins/logouts
framework:
form:
csrf_protection:
token_id: submit
csrf_protection:
check_header: true
stateless_token_ids:
# - submit
- authenticate
- logout
When I disable the submit entry under stateless_token_ids, the form no longer raises a CSRF error. If I inspect the Symfony Profiler (under the child’s save request → Forms), it shows :
Does the CSRF token still exist, and should I therefore leave submit disabled in csrf.yaml?
