FAQ-000304 - CSS and UI Security / Improper CSS Loading Vulnerabilities

To ensure your custom style loading fixes are accepted in subsequent Salesforce security reviews, follow these best practices: **Primary Requirements:** 1. **Use Static Resources**: Load all CSS and other resources from static resources instead of third-party sources. This ensures version control and security. 2. **Avoid Dynamic Loading**: Don't dynamically load CSS or JavaScript directly into components. If dynamic content is necessary, strip it of any CSS or JavaScript code. 3. **Reference Static Resources Properly**: Include all third-party CSS files in the static resources folder of your package and reference them using a `$Resource` URL. **Implementation Guidelines:** 4. **Version Control**: Ensure the entire solution is under version control, and any changes are reflected in the package version ID. 5. **Address Vulnerabilities**: Follow the security review guide and resolve all flagged vulnerabilities, especially those related to improper resource loading. 6. **Proper Documentation**: Document any necessary changes and ensure they align with security requirements. **Specific Steps for Resolution:** 1. **Resolve Specific Issues**: Take specific steps needed to resolve Lightning Improper CSS Load vulnerabilities: - Save all third-party CSS files in static resources - Use the `<lightning:require>` tag or `loadStyle()` method in your Lightning component to securely reference CSS files from static resources - Adhere to style isolation principles 2. **Follow Security Standards**: Ensure your CSS implementation complies with Salesforce's security policies. 3. **Test Thoroughly**: Validate that all fixes work correctly and don't introduce new vulnerabilities. **Best Practices for Acceptance:** - Maintain consistency with Salesforce's security guidelines - Ensure all resources are properly packaged and version-controlled - Address all flagged vulnerabilities comprehensively - Follow established patterns for secure resource loading - Document any exceptions with proper justification By adhering to these guidelines, you can align with Salesforce's security requirements and increase the likelihood of passing future reviews.

The main outdated content detected was the reference to `<ltng:require>` tag, which is deprecated and no longer recommended for Lightning components. Modern Lightning components should use the `<lightning:require>` tag or the `loadStyle()` method instead. This is consistent with current Salesforce Lightning development practices. The wording was also simplified slightly to be more conversational (changing 'Do not' to 'Don't'). The selected security rules are directly related to the FAQ content: LoadCSSLinkHref detects CSS loading vulnerabilities from external links (which the FAQ addresses by recommending static resources), and LoadCSSApexStylesheet detects improper CSS loading patterns in Apex (which the FAQ specifically mentions as 'Lightning Improper CSS Load vulnerabilities'). Both rules directly correspond to the security issues this FAQ is helping developers resolve.