What is missing or needs to be updated?

The Clickjacking_Defense_Cheat_Sheet.md cheat sheet does not account for defenses from the new related attack dubbed "Double Clickjacking".

How should this be resolved?

At a minimum, we need to update this to mention that some of the defenses mentioned in the current CS are not effective. (Paulos Yibelo's blog post did not explictly mention whether frame-busting script was still effective, but it did note that relying only header defenses such as CSP frame-ancestors directory or X-Frame-Options or the "SameSite" cookie attribute were not effective.)

Other

Note: Do not ask me to submit a PR to address this issue as my depth of JavaScript is not sufficient for that. I only know enough to be effective at secure code reviews in regards to that.