FAQ-000275 - CSS and UI Security / Clickjacking Vulnerabilities and CSS Positioning

Current Status:SUGGESTS_CASEErrorUnable to AnswerSuggests Case

← Back to List View Prompt Template

Current FAQ

Question
How do I address clickjacking vulnerabilities for non-visible, off-screen, or non-interactive UI elements?
Answer
To address clickjacking vulnerabilities flagged on non-visible, off-screen, or non-interactive UI elements in Salesforce: **Why Elements Are Still Flagged:** Your component might be flagged for Clickjacking even if the element is positioned off-screen because using CSS properties like `position: absolute` or `position: fixed` can still pose a security risk. These properties can allow malicious components to overlay or interfere with other components, potentially leading to unintended interactions or obfuscation of the user interface. **Primary Resolution Steps:** 1. **Set `isExposed` to `false`**: In the component's meta-xml file, ensure the `isExposed` attribute is set to `false` to prevent access outside its namespace. 2. **Avoid `absolute` Positioning**: Do not use `absolute` positioning for child elements, as it can allow malicious components to overlay the real component. 3. **Use `relative` Positioning**: Apply `relative` positioning to parent elements to mitigate risks. **Additional Considerations:** - If the component's `isExposed` attribute is set to `true`, it becomes accessible outside of its namespace, increasing the risk of exploitation - Off-screen positioning doesn't eliminate the security risk if the positioning method itself is problematic - The vulnerability exists because the positioning properties can still be exploited regardless of current visibility **When to Seek Help:** If you need further clarification or help, consider raising a support case for additional guidance. The positioning vulnerability exists independent of current element visibility, so proper mitigation is essential.

Enhancing FAQ with AI recommendations...

AI Recommended Enhancement

Related Security Rules (click to view)
AvoidLmcIsExposedTrue
Question
How do I address clickjacking vulnerabilities for non-visible, off-screen, or non-interactive UI elements?
Recommended Answer Update
To address clickjacking vulnerabilities flagged on non-visible, off-screen, or non-interactive UI elements in Salesforce: **Why Elements Are Still Flagged:** Your component might be flagged for Clickjacking even if the element is positioned off-screen because using CSS properties like `position: absolute` or `position: fixed` can still pose a security risk. These properties can allow malicious components to overlay or interfere with other components, potentially leading to unintended interactions or obfuscation of the user interface. **Primary Resolution Steps:** 1. **Set `isExposed` to `false`**: In the component's meta-xml file, ensure the `isExposed` attribute is set to `false` to prevent access outside its namespace. 2. **Avoid `absolute` Positioning**: Don't use `absolute` positioning for child elements, as it can allow malicious components to overlay the real component. 3. **Use `relative` Positioning**: Apply `relative` positioning to parent elements to mitigate risks. **Additional Considerations:** - If the component's `isExposed` attribute is set to `true`, it becomes accessible outside of its namespace, increasing the risk of exploitation - Off-screen positioning doesn't eliminate the security risk if the positioning method itself is problematic - The vulnerability exists because the positioning properties can still be exploited regardless of current visibility **When You Need Help:** If you need further clarification or help, consider raising a support case for additional guidance. The positioning vulnerability exists independent of current element visibility, so proper mitigation is essential.
Reasoning
The FAQ content is generally accurate and well-structured. The main improvements focus on making the language more conversational and user-friendly while maintaining technical accuracy. Changed 'Do not use' to 'Don't use' for a more conversational tone, and updated 'When to Seek Help' to 'When You Need Help' to be more direct and user-focused. These changes align with the brand guidelines of being conversational and direct without removing any technical content or changing the structure. The AvoidLmcIsExposedTrue rule is directly relevant to this FAQ because it specifically addresses Lightning Web Components with isExposed="true" in their configuration, which creates security vulnerabilities including clickjacking risks. The FAQ's primary resolution step #1 recommends setting isExposed to false, which is exactly what this security rule enforces. The rule description states it 'flags Lightning Web Components that have isExposed set to true in their configuration file,' and the FAQ explains that when isExposed is true, 'it becomes accessible outside of its namespace, increasing the risk of exploitation' - this directly aligns with the clickjacking vulnerability scenarios the FAQ addresses.
Reasoning References