Per the Wikimedia user agent policy, users of Wikimedia APIs must set an informative user agent. Normally this is done via the User-Agent HTTP header, but browser-based applications are not allowed to change that for security reasons. The policy says such applications should provide a custom Api-User-Agent header. The action API accepts such headers but the REST APIs do not.
Wikimedia REST APIs should, at a minimum, whitelist such a custom header in their CORS rules, and ideally log its contents instead of, or next to, the default user agent header.