I am working on a tool to facilitate patrolling of recent changes, and part of the tool’s user interface consists of a big <iframe>
showing the current state of a page by embedding Special:PermaLink/id
. Most of the time, this works fine; however, if the page was recently created by a new contributor, and the tool user is logged in on the wiki I am embedding, then MediaWiki will show a ”mark page as patrolled” link, and to protect that link against clickjacking, it will also send an X-Frame-Options: DENY
header, rendering my tool’s <iframe>
blank.
Is there anything I can do about this? I don’t need the “mark as patrolled” link on the page, for all I care the page might as well be loaded without the user being logged in at all. Perhaps there’s some kind of URL parameter to tell MediaWiki to ignore the user’s cookies (and pretend the wiki is read-only, to prevent the user from revealing their IP if they edit, I suppose)? Or does anyone have other ideas?
One thing I could do (and in fact considered doing in the past, when I was embedding diff pages instead of view pages) is to download the page server-side (in my tool) and then serve it to the user from my tool… but that’s feels like a pretty ugly hack.