The victim page uses the following CSP:
Content-Security-Policy: frame-ancestors 'none'
So the browser will refuse to display the victim page in the attacker's iframes (showing a message in the console), and so, clickjacking won't work
Evil page (this one) loads the victim page (target) in an iframe, and overlays it over a harmless looking thing
of attacker.com.
Then, when user thinks they interact with the harmless evil page element, they actually interact with the
targeted victim page,
allowing attackers to have victims do unwilled actions on victim website.
In the sample below, harmless looking link is overlayed with harmful action button from targeted website.
Obviously, real attacks would have the button way more transparent than this example!
The really harmless link:
Click to see adorable kitties!The harmfull button, embeded from victim website using iframe:
The overlayed result: