FAQ-000308 - CSS and UI Security / Improper CSS Loading Vulnerabilities

CSS files can cause security review failures and constitute "Improper CSS load Vulnerabilities" in several ways: ### How CSS Files Cause Security Review Failures: 1. **External Source Loading**: CSS files loaded from third-party sources instead of being included in the static resources folder of the package. 2. **Style Isolation Breaches**: CSS files that use directives incompatible with style isolation in components, potentially breaching namespace isolation and allowing one component to interfere with another. ### What Constitutes an "Improper CSS load Vulnerability": **In Lightning Web Components:** An "Improper CSS load Vulnerability" occurs when external CSS resources are loaded directly from third-party sources instead of being included as static resources within the solution package. This violates security policies and can lead to: - **Namespace isolation breaches**: Where one component may interfere with another - **Exposure to potential security risks**: From untrusted sources - **Security policy violations**: That compromise application integrity **In General Lightning Components:** The vulnerability happens when external CSS resources are loaded using the `<link>` tag or from third-party sources, violating security policies. This can lead to risks like namespace isolation breaches or unauthorized access. ### How to Fix These Issues: 1. **Use Static Resources**: Save CSS files in static resources and add them to the solution package. 2. **Secure Reference Methods**: Reference them securely using appropriate tags like `<ltng:require>` in the component markup. 3. **Avoid External Loading**: Do not load CSS directly from third-party sources. 4. **Maintain Isolation**: Ensure CSS doesn't breach namespace boundaries or interfere with other components. ### Security Implications: These practices pose security risks and violate AppExchange security requirements because they: - Compromise namespace isolation - Introduce external dependencies that can't be properly reviewed - Create potential attack vectors through untrusted resources - Violate Salesforce's security policies for managed packages By following proper CSS loading practices, you can avoid these vulnerabilities and ensure compliance with security requirements.