Enforcing Standards Mode with X-FRAME-OPTIONS
Reduced attack surface in Standards Mode is a good step forward for XSS-Focused Attack Surface Reduction in the browser. But it’s necessary to prevent framing as a prerequisite to enforced Standards Mode.
Putting this into practice is pretty simple. First, you’ll need a Standards Mode DOCTYPE and document compatibility header on your web content, eg:
<!DOCTYPE html><html><head> <!-- Enable IE9 Standards mode --> <meta http-equiv="X-UA-Compatible" content="IE=9" ></head><body>…</body></html>
Then enable X-FRAME-OPTIONS by setting the appropriate HTTP response header:
Now Standards Mode will be enabled and framing-induced "mode inheritance" will be prevented.