FAQ-000280 - CSS and UI Security / Clickjacking Vulnerabilities and CSS Positioning

Here are acceptable workarounds and security-compliant alternatives for addressing clickjacking issues caused by CSS absolute positioning: **Primary Workarounds:** 1. **Use Relative Positioning**: Set the parent element's position to "relative" and avoid using "absolute" or "fixed" positioning for child elements. This prevents components from being obfuscated or manipulated maliciously. 2. **Limit Component Exposure**: If the component isn't exposed outside its namespace and is only visible on pages owned by the namespace, "absolute" or "fixed" positioning may be acceptable. However, this should be carefully reviewed to ensure no vulnerabilities are introduced. 3. **Set `isExposed` to False**: In the component's meta-xml file, set the `isExposed` attribute to "false" to prevent the component from being accessible by other namespaces. While this doesn't fully resolve the issue, it mitigates the risk. **Security-Compliant Alternatives for Specific Use Cases:** **For Popovers and Modals:** 1. **Use Relative Positioning**: This reduces the risk of obfuscating other components or making a page unusable, especially for components exposed outside their namespace. 2. **Limit Exposure**: If the component isn't exposed outside its namespace and is only visible on specific pages, absolute or fixed positioning may be acceptable with careful review. 3. **Prioritize Relative Positioning**: For shared or reusable components, prioritize relative positioning to ensure security and compatibility. **Functional Requirements Mitigation:** To mitigate clickjacking risks while maintaining functionality: 1. **Set `isExposed` to False**: In the component's meta-xml file, set the `isExposed` attribute to "false" to prevent the component from being accessible outside its namespace. 2. **Use Relative Positioning if Exposed**: If the `isExposed` attribute is set to "true," switch to using relative positioning instead of absolute to avoid security vulnerabilities. **General Best Practices:** - Implement these measures alongside secure development practices to maintain application integrity - For shared or reusable components, prioritize relative positioning to ensure security and compatibility - These steps help prevent malicious components from overlaying legitimate ones while maintaining your application's functionality - Always ensure components are designed to not obstruct other UI elements or create security vulnerabilities - Category: CSS and UI Security - Subcategory: Clickjacking Vulnerabilities and CSS Positioning

I made minor wording improvements to enhance clarity and flow: changed "is not exposed" to "isn't exposed" and "is only visible" to "is only visible" for better readability in the first instance, then used contractions consistently ("isn't") to maintain a conversational tone as specified in the style guidelines. I selected the AvoidLmcIsExposedTrue rule because the FAQ extensively discusses the `isExposed` attribute in component meta-xml files as a primary mitigation strategy for clickjacking issues. The rule specifically targets Lightning Message Channel components with `isExposed="true"` as a security concern, which directly relates to the FAQ's recommendation to "set the `isExposed` attribute to 'false'" to prevent components from being accessible by other namespaces and mitigate clickjacking risks. The FAQ's content about limiting component exposure and setting isExposed to false aligns perfectly with what this security rule is designed to detect and prevent.