An option to disable `X-Frame-Options: SAMEORIGIN` for non-public pages

[wangchun]

I would like to embed our private HackMD notes into an internal MediaWiki. But HackMD set X-Frame-Options which prevents us from doing so. It would be appreciated to have an option to remove this protection. For access control reasons we do not want to make those notes public accessible but we want to embed them in an iframe on another domain.