Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Reduced attack surface in Standards Mode is a good step forward for XSS-Focused Attack Surface Reduction in the browser. But it’s necessary to prevent framing as a prerequisite to enforced Standards Mode.
Putting this into practice is pretty simple. First, you’ll need a Standards Mode DOCTYPE and document compatibility header on your web content, eg:
<!DOCTYPE html><html><head> <!-- Enable IE9 Standards mode --> <meta http-equiv="X-UA-Compatible" content="IE=9" ></head><body>…</body></html>
Then enable X-FRAME-OPTIONS by setting the appropriate HTTP response header:
X-FRAME-OPTIONS: DENY
…or…
X-FRAME-OPTIONS: SAMEORIGIN
Now Standards Mode will be enabled and framing-induced "mode inheritance" will be prevented.