Is clickjacking still possible in modern browsers?

Yes, especially when sites don’t set strong anti-framing policies or when attackers use creative UI overlays and social engineering.

How do websites prevent clickjacking?

By preventing framing with CSP frame-ancestors (or legacy X-Frame-Options) and by requiring re-auth for sensitive actions.

Does isolation stop clickjacking?

Isolation reduces exposure by containing risky browsing contexts and supporting stricter policies, but app-side anti-framing is still important.

What actions are most at risk?

OAuth authorizations, permissions prompts, payments, and security setting changes are common targets.

Threat playbook

Category: Web Exploits

Clickjacking in the browser

Clickjacking is a UI trick that overlays or disguises elements so a user clicks something different from what they think they’re clicking.

Quick answer

It can drive unintended actions like approving permissions, authorizing payments, or changing account settings—often inside trusted sites.

For exploit chains and sandbox escapes, isolation moves untrusted web execution into an isolated container so the user’s device is not directly exposed to active web payloads.

Last updated

2026-01-29

How it usually happens in the browser

A malicious page embeds or frames a target site (or imitates it) and overlays transparent UI layers.
The user thinks they are clicking a safe button (“play”, “close”, “next”).
Their click lands on a hidden button like “Authorize”, “Enable”, or “Confirm”.
Attackers chain clickjacking with redirects and social engineering to complete high-value actions.

What traditional defenses miss

It’s a UI/interaction attack, not necessarily malware; it may not trigger traditional detections.
The victim’s browser is performing normal clicks; logs may show legitimate user actions.
Some sites still lack robust anti-framing protections.

How isolation changes the game

Isolation reduces exposure to untrusted sites where clickjacking lures are common and makes those sessions disposable.
Policy can require stricter handling for unknown destinations and permission prompts.
Isolation complements app-side protections like frame-busting headers and modern security controls.

See Legba for Chrome

Operational checklist

For your apps: implement anti-clickjacking headers (CSP frame-ancestors) and avoid sensitive actions without re-auth.
For browsing: isolate unknown destinations and ad/redirect traffic where clickjacking lures often live.
Block or warn on permission prompts (notifications, clipboard) on untrusted sites.
Use step-up verification for high-impact actions in critical SaaS apps.
Train users: be suspicious of unexpected “enable/authorize” prompts during browsing.

FAQs.

References

01
OWASP: ClickjackingOWASP
02
Cloudflare: Browser IsolationCloudflare

Clickjacking in the browser

Quick answer

Last updated

How it usually happens in the browser

What traditional defenses miss

How isolation changes the game

Operational checklist

FAQs.

References

Keep exploring

Access anything.
Expose nothing.

Chrome Plugin

OpenClaw

How it usually happens in the browser

What traditional defenses miss

How isolation changes the game

Operational checklist

FAQs.

Is clickjacking still possible in modern browsers?+

How do websites prevent clickjacking?+

Does isolation stop clickjacking?+

What actions are most at risk?+

[References]

Keep exploring

Access anything.Expose nothing.

References

Access anything.
Expose nothing.