Clickjacking

Clickjacking embeds a sensitive page (for example, account settings, OAuth consent, payment confirmation) inside an iframe on a malicious site and visually disguises it — often through transparency, careful CSS overlays, or strategic positioning under decoy buttons. The user thinks they are interacting with the visible page, while their clicks, taps, or drags are actually delivered to the hidden frame, performing actions in their authenticated session. Variants include cursorjacking, drag-and-drop attacks, and double-clickjacking. Defences require server-side controls on the target page: setting X-Frame-Options or, preferably, a Content-Security-Policy with frame-ancestors directive, plus user-interaction requirements for sensitive actions and SameSite cookies to limit cross-context state.