FAQ-000272 - CSS and UI Security / Clickjacking Vulnerabilities and CSS Positioning

Setting `isExposed` to true on a Lightning component can create a clickjacking vulnerability because it allows the component to be accessible outside of its namespace. This exposure can enable malicious actors to embed the component in an iframe on an external site, potentially tricking users into interacting with it unknowingly. **Mitigation Strategies:** **Primary Approach - Positioning Context:** - If the `isExposed` attribute is set to `false`, using `absolute` or `fixed` positioning is permissible since the component isn't accessible outside the namespace - If the `isExposed` attribute is set to `true`, the component must use `relative` positioning to mitigate security risks - This ensures that exposed components don't interfere with other components or render the page unusable **Additional Security Measures:** 1. **Limit Namespace Exposure**: Ensure components aren't exposed outside their namespace unless absolutely necessary 2. **UI Compatibility**: For components on shared pages, verify they don't obfuscate the UI or interfere with other components 3. **Implement Content Security Policies (CSP)**: Use strict CSPs and ensure all scripts are loaded from static resources 4. **Avoid Certain CSS Properties**: Don't use `position: absolute` or `position: fixed` unless the component's visibility is restricted to pages owned by the namespace **Best Practices:** - Set `isExposed` to false whenever possible - When exposure is necessary, ensure proper positioning (relative) is used - Verify component usage is limited to controlled environments - Ensure components don't obstruct standard Salesforce UI or other components - Category: CSS and UI Security - Subcategory: Clickjacking Vulnerabilities and CSS Positioning

The answer was already well-structured and accurate. I made minimal changes to improve readability and tone consistency with our brand guidelines: replaced 'is not' with 'isn't', 'do not' with 'don't', and 'does not' with 'doesn't' to make the content more conversational per our style guide. These changes make the FAQ more approachable while maintaining all technical accuracy and completeness. For the related rule selection, I chose AvoidLmcIsExposedTrue because this rule directly addresses the FAQ's core topic. The FAQ discusses how setting `isExposed` to true creates clickjacking vulnerabilities, and this rule specifically flags when Lightning components have `isExposed` set to true. The FAQ content about 'Setting `isExposed` to true on a Lightning component can create a Clickjacking vulnerability' and the mitigation strategies for when 'the `isExposed` attribute is set to `true`' directly align with what this security rule is designed to detect and prevent.