VULNERABILITY DETAILS

Hello Chromium team,
While trying to create a use case for experimenting with iframe-able contents and clickjacking, I think I've found an issue in how the clickjacking protection works in Chrome.
See the attached HTML files, they're just a tiny little more than the MDN code for the iframe element (taken from https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe ) and a CSS style inlined in the head element that is a textbook clickjacking example.
In the -notworking case, the iframe opacity is set to 0 and the element, even if with z-index assigned to 1, is not clickable. I *think* this is a built-in protection of Chrome since both stable versions of Firefox and Safari happily allow the content to be clickable.
In the -working case instead, assigning a small quantity of opacity to the iframe makes the element clickable again with no human discernible rendering in the page: running macOS built-in color picker app on the page reports full white (255, 255, 255) across the document.
From digging through the bug tracker it's not clear to me how clickjacking issues are addressed, I've found the closest issues to be https://bugs.chromium.org/p/chromium/issues/detail?id=387472 and https://bugs.chromium.org/p/chromium/issues/detail?id=128353 . Let me know what you think.

Cheers,
Marco


VERSION

Chrome Version: tested with both 63.0.3239.132 stable and 66.0.3336.5 canary
Operating System: macOS 10.13.3


REPRODUCTION CASE

See the attached HTML files.
 

Deleted: maps-notworking.html 665 bytes

maps-notworking.html 665 bytes View Download

Deleted: maps-working.html 698 bytes

maps-working.html 698 bytes View Download