Why is JavaScript frame-busting an unreliable clickjacking defense, and what is "double-clickjacking"?

Frame-busting is client-side JS that tries to break out of a frame (e.g. if (top !== self) top.location = self.location). It's unreliable because attackers can neutralize it: the iframe sandbox attribute (without allow-top-navigation) disables the navigation, an onbeforeunload handler can trap the redirect, and restrictive framing can suppress the script. The robust control is a server-sent header the browser enforces before any page script runs — CSP frame-ancestors (with X-Frame-Options as fallback).

Double-clickjacking (disclosed 2024) sidesteps framing defenses entirely: rather than an iframe, the attacker opens your real site in a new window and exploits the gap between the two clicks of a double-click on a decoy to swap your sensitive UI under the cursor just before the second click lands — so frame-ancestors doesn't help because nothing is framed. Mitigations: disable sensitive buttons until a short delay/explicit gesture, avoid one-double-click destructive actions, and keep SameSite cookies.