Enforcing Standards Mode with X-FRAME-OPTIONS

Reduced attack surface in Standards Mode is a good step forward for XSS-Focused Attack Surface Reduction in the browser.  But it’s necessary to prevent framing as a prerequisite to enforced Standards Mode.

Putting this into practice is pretty simple.  First, you’ll need a Standards Mode DOCTYPE and document compatibility header on your web content, eg:

<!DOCTYPE html><html><head> <!-- Enable IE9 Standards mode --> <meta http-equiv="X-UA-Compatible" content="IE=9" ></head><body>…</body></html>

Then enable X-FRAME-OPTIONS by setting the appropriate HTTP response header:

X-FRAME-OPTIONS: DENY
…or…
X-FRAME-OPTIONS: SAMEORIGIN

Now Standards Mode will be enabled and framing-induced "mode inheritance" will be prevented.