I was trying to embed MediaWiki in an iFrame but was facing some problem. When I tried using the code
<iframe id="media-wiki-frame" src="/path/to/wiki/page"/>
Chrome was giving following error:
Refused to display document because display forbidden by X-Frame-Options
As MediaWiki has a bunch of options that protect the pages sensitive to clickjacking attacks, such as edit pages. This prevents those pages from being displayed in a frame or iframe. The options are:
- 'DENY' - Do not allow framing. This is recommended for most wikis.
- 'SAMEORIGIN' - Allow framing by pages on the same domain. This can be used to allow framing within a trusted domain. This is insecure if there is a page on the same domain which allows framing of arbitrary URLs.
- false - Allow all framing. This opens up the wiki to XSS attacks and thus full compromise of local user accounts. Private wikis behind a corporate firewall are especially vulnerable. This is not recommended
Since, I wanted to be able to embed the wiki on pages with the same origin, I chose the SAMEORIGIN
option for $wgEditPageFrameOptions
. For this, just add a new line in localsetting.php
$wgEditPageFrameOptions = "SAMEORIGIN";
There is another option ($wgBreakFrames) that can be used to prevent external sites from framing your site. If set to “true” it will also prevent positive uses of frames. So if you are still facing problems in embedding the wiki in an iframe, you might want to set the option to false.