I think this would have a hard time meeting security review.  Clickjacking would still be possible here as long as the site can add or remove the iframe.  Suppose it lures the user into clicking in some consistent pattern, like in a game that involves trying to click in particular places at particular times.  Then when you can predict the user is about to click, briefly replace the game with the iframe, quickly enough so they don't notice in time to stop clicking.

Opening a new window doesn't have this issue because once you open it, you can't control its position or whether it's focused.  If the user clicks on your page, you can't reliably transfer the click to the new window no matter what.  Nothing that's inside the page content will be secure.  Yes, this is a disadvantage of web apps compared to desktop apps, but such disadvantages are necessary, since web apps run without the user's knowledge or consent.

CC'ing some implementers to get confirmation on whether this is an unacceptable security problem given the benefit.

We've been kicking around some ideas for addressing some of these use cases, but we've been approaching the problem as giving web pages a way to create a "lightbox"-like UI using something that's really a popup window under the covers.  The idea being that popup windows are always rendered "on top" and they're not subject to interference by the page that creates them.  The limitation is that they're ugly and difficult for users to manage.  In some sense, you could address these use cases with a chromeless popup window that was constrained to the parent web page, much like alert dialogs are in recent versions of Firefox.

Anyway, we haven't got much past the "hallway discussion" phase, but I think there's some potential for addressing these use cases.  Of course, we'd have to do it carefully because these are tricky security issues.

A pop-up windows position can be controlled from JavaScript and most browsers give it focus instantly too.

I thought about the idea of rendering the iframe as always on top too. However this would limit animation (a rotating cube for instance) and other cool effects.

What may be a good compromise is that the iframe would have to be focused before clicks are sent to it (like a pop-up window), a focused iframe is always on top and any clicks sent to the iframe are not registered on the outer page. Browsers could also enforce a minimum size before any content is rendered.

I personally can't see how these restrictions would be any more dangerous than a pop-up window.

mass-move component to LC1

What additional information do you need?

From my perspective the iframe sandbox doesn't go far enough if browsers are not ignoring X-Frame-Options on sandboxed content.
Browser developers should be confident that click-jacking is preventable when using a sandbox under certain conditions.

I believe, in this context, there is enough of a case for extending the functionality of the sandbox attribute.

Why can't you just use a popup?

EDITOR'S RESPONSE: This is an Editor's Response to your comment. If you are satisfied with this response, please change the state of this bug to CLOSED. If you have additional information and would like the editor to reconsider, please reopen this bug. If you would like to escalate the issue to the full HTML Working Group, please add the TrackerRequest keyword to this bug, and suggest title and text for the tracker issue; or you may create a tracker issue yourself, if you are able to do so. For more details, see this document:
   http://dev.w3.org/html5/decision-policy/decision-policy.html

Status: Rejected
Change Description: no spec change
Rationale: Seems like a rather narrow use case to add a feature with such security implications.