FAQ-000273 - CSS and UI Security / Clickjacking Vulnerabilities and CSS Positioning

The primary recommended alternative to absolute and fixed positioning is **relative positioning**. This approach helps mitigate clickjacking concerns, especially when the component is exposed outside of its namespace. **Key Alternatives and Guidelines:** 1. **Relative Positioning**: - Use `position: relative` for components - Ensures compatibility with style isolation - Prevents potential security risks, such as clickjacking - Safer and more compliant choice for shared or reusable components 2. **Conditional Usage of Fixed/Absolute Positioning**: - Can be used if the component isn't exposed outside of its namespace - Acceptable when visibility is limited to pages owned by the namespace - For example, a progress bar fixed to the top of a page is acceptable if used exclusively on specific forms within the namespace 3. **Additional Security Measures**: - Set the `isExposed` attribute to `false` in the meta-xml file to reduce security risks - Design components to ensure compatibility and isolation within the Salesforce environment - Verify the component's implemented interfaces to confirm its usage scope **Important Considerations:** - If the component is designed for shared pages or other apps, fixed/absolute positioning isn't allowed as it could interfere with other components or make the page unusable - For shared or reusable components, sticking with `position: relative` is the safer and more compliant choice - Make sure the component doesn't obfuscate or overlap with standard Salesforce UI or other components - Category: CSS and UI Security - Subcategory: Clickjacking Vulnerabilities and CSS Positioning

The FAQ content addresses CSS positioning security concerns which is a UI/frontend security topic, but after reviewing the available security rules, none of them specifically deal with CSS positioning, clickjacking vulnerabilities, or UI-related security issues. The available rules focus primarily on Apex security, authentication, data protection, and JavaScript vulnerabilities, but don't cover CSS positioning concerns. The content itself is technically sound and provides good guidance about using relative positioning as an alternative to absolute/fixed positioning to prevent clickjacking. The minor improvements made were: 1. Changed 'is not' to 'isn't' for a more conversational tone 2. Changed 'further reduce' to 'reduce' to be more concise 3. Changed 'Ensure the component does not' to 'Make sure the component doesn't' for better conversational flow These changes align with the brand guidelines to be more conversational and use contractions while maintaining the technical accuracy and completeness of the original content.