FAQ-000271 - CSS and UI Security / Clickjacking Vulnerabilities and CSS Positioning

To resolve clickjacking vulnerabilities in Salesforce applications and managed packages, follow these comprehensive steps: **Primary Resolution Steps:** 1. **Namespace Exposure Management**: Set the `isExposed` attribute to `false` for components using `absolute` or `fixed` positioning. If `isExposed` is `true`, switch to `relative` positioning to mitigate risks. 2. **CSS Positioning Fixes**: - Avoid `position: absolute` or `position: fixed` for exposed components - Use `position: relative` as the safer alternative - Review and update CSS to ensure secure practices 3. **Anti-Clickjacking Headers**: Implement anti-clickjacking headers in your application to block unauthorized framing of your content. 4. **Secure Component Positioning**: - Avoid `absolute` positioning for child elements unless the parent element's position is set to `relative` - Ensure components do not obstruct other UI elements or create vulnerabilities **For Managed Packages Specifically:** 1. **Use anti-clickjacking headers**: Implement HTTP headers like `X-Frame-Options` or `Content-Security-Policy` to protect against framing attacks 2. **Test thoroughly**: Use tools like Salesforce Code Analyzer and other security scanners to validate fixes 3. **Conduct thorough review**: Ensure no other instances of this vulnerability exist in your managed package code **Additional Guidance:** - **Testing and Validation**: Conduct thorough testing to confirm all vulnerabilities are resolved - **Seek Expert Help**: If challenges arise, schedule a technical office hours appointment with the Salesforce security review team for tailored advice - **Documentation**: For more detailed guidance, refer to Salesforce's secure coding documentation If you need further clarification or help, consider raising a support case for additional guidance.