Web applications allow external sites to include content by using IFrames. This enables an attacker to embed the malicious code beneath legitimate clickable content. An attacker can trick a web user into clicking the malicious content that the attacker can control.
NOTE:The configuration to prevent this attack is enabled by default in Administration Console.
For information about how to prevent this attack in Identity Server, Section 3.14, Preventing Clickjacking and XFS Attacks.