Wikimedia Developer Support

Reliably embed MediaWiki page in tool



I am working on a tool to facilitate patrolling of recent changes, and part of the tool’s user interface consists of a big <iframe> showing the current state of a page by embedding Special:PermaLink/id. Most of the time, this works fine; however, if the page was recently created by a new contributor, and the tool user is logged in on the wiki I am embedding, then MediaWiki will show a ”mark page as patrolled” link, and to protect that link against clickjacking, it will also send an X-Frame-Options: DENY header, rendering my tool’s <iframe> blank.

Is there anything I can do about this? I don’t need the “mark as patrolled” link on the page, for all I care the page might as well be loaded without the user being logged in at all. Perhaps there’s some kind of URL parameter to tell MediaWiki to ignore the user’s cookies (and pretend the wiki is read-only, to prevent the user from revealing their IP if they edit, I suppose)? Or does anyone have other ideas?

One thing I could do (and in fact considered doing in the past, when I was embedding diff pages instead of view pages) is to download the page server-side (in my tool) and then serve it to the user from my tool… but that’s feels like a pretty ugly hack.


Use a sandboxed iframe with same-origin disallowed. (Also, don’t use Special:Permalink, the only thing it is good for is to break caching and force the request to be served from PHP. Plus, two requests instead of one. Just use the standard difflink syntax instead.)


Adding sandbox="" to the <iframe> doesn’t seem to have any effect – the request to the wiki still includes session cookies and the response still breaks frames.


An example of this is diff 844500022, which will show a blank frame if the visiting user is logged in and autoconfirmed on Wikidata. (@Tgr, as far as I can tell your staff account isn’t yet autoconfirmed, but your private one is.)

(This is without the sandbox="" addition, because I only tested that locally.)


The tool seems to be broken.

In theory sandbox with no allow-same-origin should completely disable cookies but I never tried. Alternatively you could try action=render which probably does not include the patrolling stuff.


Tool was broken for users who hadn’t logged in yet, should be fixed now. Thanks.

action=render works, but isn’t very useful to embed without the required stylesheets… I could add an endpoint to my tool that fetches the rendered content and embeds it in a full page, with a title element and some extra stylesheets etc., and embed that via iframe, but that’s not that different from having that endpoint fetch the whole wiki page and fix it up a bit (make relative links absolute), which is the workaround I mentioned at the end of the original post.