This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.

Bug 15476 - [Templates]: Specify how templates work
Summary: [Templates]: Specify how templates work
Status: RESOLVED FIXED
Alias: None
Product: WebAppsWG
Classification: Unclassified
Component: HISTORICAL - Component Model (show other bugs)
Version: unspecified
Hardware: PC All
: P2 normal
Target Milestone: ---
Assignee: Dimitri Glazkov
QA Contact: public-webapps-bugzilla
URL:
Whiteboard:
Keywords:
Depends on: 15454 15540 15541 15542 15663 15698 15857 16277 16278 16279 16280 16340 16341 16787 16788 16810 17459 17679 18597 18598 18607 18608 18613 18614 18672 18710 18713 18725 18735 18794 18926 19002 19237 19403 19408 19415 19455 19456 19485 19486 19487 19488 19567 19889 19890 19966 20030 20127 20129 20130 20483 20531 20563 20797 20829 20848 20849 20892 20924 21017 21228 21293 21430 21647 21809 22400 23409 23628 23752
Blocks: 14972
  Show dependency treegraph
 
Reported: 2012-01-09 18:21 UTC by Dimitri Glazkov
Modified: 2015-07-06 07:06 UTC (History)
6 users (show)

See Also:

Attachments

Description Dimitri Glazkov 2012-01-09 18:21:40 UTC 
This is the umbrella bug for tracking specification of the <template> element and associated plumbing
Comment 1 Florian Bender [fbender] 2013-04-21 13:30:00 UTC 
Quick question: How does CSP interact with Web Components?

E. g. if I disable inline scripts (same applies to inline-styles) via CSP, is a <template>'s script affected? (It probably should not. If this is not specified yet, shall I file a bug?)

This leads me to the question: Is it possible to inject malicious scripts via Web Components, i. e. by injecting a link[rel="components"] pointing to malicious templates?