FAQ-000279 - CSS and UI Security / Clickjacking Vulnerabilities and CSS Positioning

Yes, using `position: absolute` in globally accessible components carries significantly higher security risks compared to namespaced components. **Globally Accessible Components (Higher Risk):** - **Increased Exposure**: Globally accessible components are exposed outside the namespace and can be used on shared pages, increasing the likelihood of being flagged as a clickjacking risk - **Broader Attack Surface**: These components can be accessed and potentially exploited by external entities - **Shared Page Vulnerabilities**: When used on shared pages, absolute positioning can interfere with other components or applications - **Recommendation**: Avoid using `position: absolute` if the component is globally accessible (`isExposed` is set to `true`). Instead, use `position: relative` to mitigate security risks like clickjacking or interference with other components **Namespaced Components (Lower Risk):** - **Limited Exposure**: Namespaced components are limited to pages owned by the namespace, reducing the exposure and associated risks - **Controlled Environment**: Usage is restricted to specific, controlled scenarios within the namespace - **Acceptable Conditions**: `Position: absolute` may be acceptable if: - The component is not exposed outside of its namespace - Its visibility is limited to pages owned by the namespace (e.g., a progress bar used only on specific pages within the namespace) **Security Implications:** - **Namespace Isolation**: Components not exposed outside their namespace benefit from better isolation and reduced risk - **Controlled Usage**: Limited visibility to namespace-owned pages provides better security control - **Risk Mitigation**: Setting `isExposed` to `false` limits accessibility and reduces vulnerabilities, though it doesn't fully resolve all positioning-related issues **Best Practices:** - For globally accessible components: Always use relative positioning - For namespaced components: Absolute positioning may be acceptable under strict conditions - Always ensure components don't interfere with shared pages or other applications - Document the specific use case and scope when using absolute positioning in namespaced components - Category: CSS and UI Security - Subcategory: Clickjacking Vulnerabilities and CSS Positioning

The FAQ content is well-structured and accurate. No significant outdated content or security confusion was detected that required corrections. The content effectively explains the security risks of using `position: absolute` in different component contexts. I selected the AvoidLmcIsExposedTrue rule because it directly relates to the core concept discussed in this FAQ. The FAQ extensively discusses the `isExposed` attribute and its security implications - specifically how setting `isExposed` to `true` (making components globally accessible) increases security risks, while setting it to `false` (keeping components namespaced) reduces risks. The rule AvoidLmcIsExposedTrue flags when components have `isExposed` set to `true`, which aligns perfectly with the FAQ's recommendation to 'avoid using position: absolute if the component is globally accessible (isExposed is set to true)' and its guidance that 'setting isExposed to false limits accessibility and reduces vulnerabilities.' The FAQ's entire premise is built around the security distinction between exposed vs non-exposed components, making this rule directly applicable to the content being explained.