Document how to make AssetMapper work with a Content Security Policy

Author: nicwortel

frontend/asset_mapper.rst

@@ -1011,6 +1011,26 @@ you pass to ``importmap()``.
     because ``app`` appears in your ``importmap.php``, the browser will read ``app``
     from the ``importmap`` on the page and ultimately load ``/assets/app-4e986c1a2318dd050b1d47.js``
 
+Using a Content Security Policy (CSP)
+-------------------------------------
+
+If you're using a `Content Security Policy`_ (CSP) to prevent cross-site
+scripting attacks, the inline ``<script>`` tags rendered by the ``importmap()``
+function will likely violate that policy and will not be executed by the browser.
+
+To allow these scripts to run without disabling the security provided by
+the CSP, you can can generate a secure random string for every request (called
+a *nonce*) and include it in the CSP header and in a ``nonce`` attribute on
+the ``<script>`` tags.
+The ``importmap()`` function accepts an optional second argument that can be
+used to pass attributes to the rendered ``<script>`` tags.
+You can use the `NelmioSecurityBundle`_ to generate the nonce and include
+it in the CSP header, and then pass the same nonce to the Twig function:
+
+.. code-block:: html+twig
+
+    {{ importmap('app', {'nonce': csp_nonce('script')}) }}
+
 The AssetMapper Component Caching System in dev
 -----------------------------------------------
 
@@ -1053,3 +1073,5 @@ This will force the AssetMapper component to re-calculate the content of all fil
 .. _EasyAdminBundle: https://github.com/EasyCorp/EasyAdminBundle
 .. _symfonycasts/tailwind-bundle: https://symfony.com/bundles/TailwindBundle/current/index.html
 .. _symfonycasts/sass-bundle: https://symfony.com/bundles/SassBundle/current/index.html
+.. _Content Security Policy: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
+.. _NelmioSecurityBundle: https://symfony.com/bundles/NelmioSecurityBundle/current/index.html#nonce-for-inline-script-handling