Mediawiki core should allow the Access-Control-Max-Age header in Cross-origin resource sharing (CORS) api requests.
Use case: T268267: Reduce CORS preflight requests - cache the result of OPTIONS api calls to avoid needing to make a new CORS preflight request before each api call to each wiki.
Tagging Security-Team per @Legoktm's suggestion at T268267#6674947 - is this okay from a security perspective?
See also: