Reduced attack surface in Standards Mode is a good step forward for XSS-Focused Attack Surface Reduction in the browser. But it’s necessary to prevent framing as a prerequisite to enforced Standards Mode.
Putting this into practice is pretty simple. First, you’ll need a Standards Mode DOCTYPE and document compatibility header on your web content, eg:
<!-- Enable IE9 Standards mode -->
<meta http-equiv="X-UA-Compatible" content="IE=9" >
Then enable X-FRAME-OPTIONS by setting the appropriate HTTP response header:
Now Standards Mode will be enabled and framing-induced “mode inheritance” will be prevented.