Clickjacking

Clickjacking loads your real site inside a transparent iframe on an attacker page, positioned so a victim who thinks they are clicking a harmless button actually clicks something on your site — approving a payment, changing a setting. The defence is telling browsers your pages may not be framed by others, via a Content-Security-Policy frame-ancestors directive (or the older X-Frame-Options header).