As of this writing (October 30, 2008), the only reasonable defense against Clickjacking is to use NoScript with Firefox, or rely on individual sites to exericse frame busting Javascript (or more effective countermeasures) to ensure that their interesting pages can't be loaded or manipulated via iframes. So far, there is no default protection against hidden or obscured iframes present in either Firefox 3 or Internet Explorer 7.
This page takes a look at the default iframe behavior of the the top ten websites according to Alexa, as well as AOL, since it's a pretty popular webmail host.
Check the BreakingPoint Labs blog for the original context of this test page and how it relates to ClickJacking.
This page is most useful when you (the fake victim) are already logged into the sites being tested below.
Note, if you are not logged in to Yahoo, you will be forwarded to Yahoo's main site after opening the iframe.
Note, Windows Live sometimes asks for reauthentication by breaking out of the iframe (but only sometimes).
Note, if you are not logged in to Yahoo Japan, you will be forwarded to Yahoo's main site after opening the iframe.