With clickjacking, a malicious site loads the target site in a transparent iFrame overlaid on top of a set of dummy buttons that are carefully constructed to be placed directly under important buttons on the target site. When a user clicks a visible button, they are actually clicking a button (such as an 'Authorize' button) on the hidden page.
OAuth 2.0 Threat Model and Security Considerations (RFC6819, section 4.4.1.9)
This threat is considered fully mitigated if all the test cases from the following test set succeed.
Back to the threat overview