This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.
This is the umbrella bug for tracking specification of the <template> element and associated plumbing
Quick question: How does CSP interact with Web Components? E. g. if I disable inline scripts (same applies to inline-styles) via CSP, is a <template>'s script affected? (It probably should not. If this is not specified yet, shall I file a bug?) This leads me to the question: Is it possible to inject malicious scripts via Web Components, i. e. by injecting a link[rel="components"] pointing to malicious templates?