[dandare]

Quite common misunderstand about Clickjacking is the idea that a 3rd party content embedded in an iframe can hijack clicks from the parent (yours) website. While embedding an untrusted iframe in your website is not a god idea, the Clickjacking attack goes the other way around.

[politician]

Why aren't events masked by the last several frames generated by the rendering system?

If a page is divided into two columns with the left half originating from the source origin and the right half from a delegated origin, why should the source origin observe interaction events from the right half, or vice versa?

We should be able to press a hotkey and immediately see at-a-glance who is operating what.

[shamas]

Yeah, that took me a while to figure out just now. But I still don't see how that's an issue, I'm browsing on ycombinator.com, not ashittyiframesite.com