Evil page (this one) loads the victim page (target) in an iframe, and overlays it over a harmless looking thing
of attacker.com.
Then, when user thinks they interact with the harmless evil page element, they actually interact with the
targeted victim page,
allowing attackers to have victims do unwilled actions on victim website.
In the sample below, harmless looking link is overlayed with harmful action button from targeted website.
Obviously, real attacks would have the button way more transparent than this example!
The really harmless link:
Click to see adorable kitties!The harmfull button, embeded from victim website using iframe:
The overlayed result:
Now, click the below link to try the same, but this time, with a Content-Security-Policy.
Retry with CSP