Are iframe implementations generally acceptable in managed packages for AppExchange?
Answer
Iframe implementations are not generally acceptable in managed packages for AppExchange. Lightning components are considered a security boundary, and packages like "iframeloader" are not approved. Developers must ensure that all scripts are loaded in static resources and that the security properties of the offering can be fully understood by analyzing the source code.
Are iframe implementations generally acceptable in managed packages for AppExchange?
Recommended Answer Update
Iframe implementations are not generally acceptable in managed packages for AppExchange. Lightning components are considered a security boundary, and packages like "iframeloader" are not approved. Developers must ensure that all scripts are loaded in static resources and that the security properties of the offering can be fully understood by analyzing the source code.
Reasoning
The current FAQ content is accurate and well-structured. No outdated content was detected, and the answer appropriately addresses iframe security concerns for AppExchange packages. The content clearly explains the restrictions on iframe implementations and emphasizes the importance of static resource usage and code analyzability.
I selected the AvoidAuraWithLockerDisabled rule because it directly relates to the FAQ's discussion of Lightning component security boundaries. The FAQ mentions that "Lightning components are considered a security boundary" and discusses security properties that must be analyzable - this aligns with the AvoidAuraWithLockerDisabled rule which enforces security boundaries in Aura components. While the FAQ doesn't explicitly mention LockerService, the underlying security principle of maintaining component boundaries and ensuring analyzable security properties is the same concern that the AvoidAuraWithLockerDisabled rule addresses.