Following from T212468, XHGui 0.9 adds two new deletion methods that use the "GET" verb (that is, following or clicking a link) without confirmation or authorization requirements.
I've disabled these during the upgrade with a local hot-fix, but I'm working with upstream to either make these configurable or to make them use POST with a confirmation page.
Then, we can update our server configuration to catch these similar to how we catch the POST routes for the "Watch functions" feature, which we limit to wmf/nda currently. (source config, config params).
=> Upstream: https://github.com/perftools/xhgui/issues/248