> there is no technical method for preventing clickjacking
I think there is. Most of these widgets are embedded using SCRIPTs which have access to the parent page's DOM structure. For Twitter/Facebook they can basically access anything on your page. This means, they can do a check for `pointer-event:none` (computed CSS value) on the element above the widget (get that using `document.elementFromPoint`).
EDIT: After some investigation: elementFromPoint doesn't work on elements with pointer-events:none, it seems. That sucks. It may still be possible to circumvent these attacks. For example, when the widget receives a mouseenter event, it could place itself at the end of the document tree in the parent page and ensure it has the highest possible z-index. I'm sure there are other viable options too...
You suggest that these obnoxious buttons should start behaving even more annoying by peeking around the side and potentially rearranging/changing themselves?
First, I don't believe that an arm's race makes sense. There are too many ways to trick someone into clicking a thing. Second: Please... Like buttons are already as lovely as blink tags on a Geocities page. They don't need to be 'improved' like that.
I think there is. Most of these widgets are embedded using SCRIPTs which have access to the parent page's DOM structure. For Twitter/Facebook they can basically access anything on your page. This means, they can do a check for `pointer-event:none` (computed CSS value) on the element above the widget (get that using `document.elementFromPoint`).
EDIT: After some investigation: elementFromPoint doesn't work on elements with pointer-events:none, it seems. That sucks. It may still be possible to circumvent these attacks. For example, when the widget receives a mouseenter event, it could place itself at the end of the document tree in the parent page and ensure it has the highest possible z-index. I'm sure there are other viable options too...