FAQ-000276 - CSS and UI Security / Clickjacking Vulnerabilities and CSS Positioning

To get more specific details about why your component's CSS was flagged as a clickjacking vulnerability and implement proper solutions: **Understanding the Vulnerability:** 1. **Review the CSS Positioning**: Check if your component uses `absolute` or `fixed` positioning. If the `isExposed` attribute is set to `true`, you must use `relative` positioning to mitigate the risk. If `isExposed` is set to `false`, `absolute` or `fixed` positioning may be acceptable. 2. **Refer to Documentation**: You can find detailed guidance on secure CSS practices in Salesforce's documentation: [Secure Code Violation - CSS Outside Components](https://developer.salesforce.com/docs/atlas.en-us.packagingGuide.meta/packagingGuide/secure_code_violation_css_outside_components.htm) **Implementation Guidelines:** **Proper Positioning Context:** - If the `isExposed` attribute is set to `false`, using `absolute` or `fixed` positioning is permissible since the component isn't accessible outside the namespace - If the `isExposed` attribute is set to `true`, the component must use `relative` positioning to mitigate security risks **Addressing the Vulnerabilities:** 1. **Avoid Using `position: absolute` or `position: fixed`**: These styles can interfere with other components and expose vulnerabilities, especially in Lightning Web Components (LWC) and Aura components 2. **Use `position: relative`**: This is a safer alternative, particularly for components exposed outside their namespace 3. **Set `isExposed` to `false`**: In the component's meta-XML file, ensure the `isExposed` attribute is set to `false` to limit its accessibility and reduce the risk of malicious overlays **Best Practices:** - These steps help mitigate the risk of clickjacking by preventing unauthorized components from being displayed over legitimate ones - Ensure components are securely positioned and don't expose sensitive functionality unnecessarily - Follow Salesforce's secure coding practices and clickjacking mitigation documentation - Category: CSS and UI Security - Subcategory: Clickjacking Vulnerabilities and CSS Positioning

The main improvements focus on making the language more conversational and concise while maintaining technical accuracy. Changed 'is not accessible' to 'isn't accessible' and 'do not expose' to 'don't expose' to match the conversational tone guidelines. These are minor refinements that improve readability without changing the technical content or structure. I selected the AvoidLmcIsExposedTrue rule because it directly relates to the core technical content of this FAQ. The FAQ extensively discusses the `isExposed` attribute and its security implications for Lightning components, specifically explaining when to set `isExposed` to `false` to prevent clickjacking vulnerabilities. The rule 'AvoidLmcIsExposedTrue' is specifically designed to flag when `isExposed` is set to `true`, which aligns perfectly with the FAQ's guidance about setting this attribute to `false` for security purposes. The FAQ's section on 'Set `isExposed` to `false`' and the discussion about component exposure outside namespaces directly corresponds to what this security rule addresses.