Enforcing Standards Mode with X-FRAME-OPTIONS

Reduced attack surface in Standards Mode is a good step forward for XSS-Focused Attack Surface Reduction in the browser.  But it’s necessary to prevent framing as a prerequisite to enforced Standards Mode.

Putting this into practice is pretty simple.  First, you’ll need a Standards Mode DOCTYPE and document compatibility header on your web content, eg:

<!DOCTYPE html>

  <!-- Enable IE9 Standards mode -->
  <meta http-equiv="X-UA-Compatible" content="IE=9" >


Then enable X-FRAME-OPTIONS by setting the appropriate HTTP response header:


Now Standards Mode will be enabled and framing-induced “mode inheritance” will be prevented.

Comments (0)