Third-Party Web Components With Lightning Locker
Lightning Locker blocks the use of third-party web components to prevent security risks on the Salesforce platform.
Web components are custom elements. To define a custom element, you must use the
customElements.define API. However, this API allows you to globally register a component by its tag name. Registering a tag name globally is a security risk because an attacker could create an instance of any registered custom element and potentially gain access to sensitive information. Lightning Locker’s
SecureWindow wrapper blocks the
customElements methods that create custom web components.
SecureWindow wrapper list in the Locker API Viewer tool shows that
customElements is not supported.