Clickjacking is a malicious attack where users are tricked into clicking on links or UI elements on a site that appears to be a trusted and familiar site. This is typically accomplished by embedding part or all of the trusted site into the malicious site using an <iframe>.
The X-Frame-Options (XFO) header and the frame-ancestors directive in the Content-Security-Policy (CSP) header can mitigate clickjacking attacks by controlling how a site can be embedded within an <iframe>.
How the Lighthouse audit fails
The audit will pass if the XFO header is set with SAMEORIGIN or DENY, or the frame-ancestors directive is set on the CSP header. The audit will fail if neither of these frame control policies are configured.