What server should add/not add what header? AFAICS, https://tools.wmflabs.org/wdq2sparql/ does not have any restricting Access-Control-* headers. I think you should be able to set them (if you need them) with PHP.

To repeat the very first sentence from my original ticket:

Situation: I am trying to use the WDQ2SPARQL conversion tool (https://tools.wmflabs.org/wdq2sparql/) in JavaScript

So on http://petscan.wmflabs.org/ if you enter

$.getJSON("https://tools.wmflabs.org/widar/index.php?action=get_rights&botmode=1",function(d){console.log("FINISHED!",d)},'json')

into the JS console, you get no data because of cross-site restrictions.
I think all of *.wmflabs.org should be trustworthy enough for site-wide CORS.
Yes, I could write a proxy. But, really?

I did not suggest that you should write a proxy but that, if you need to add a header to a request's response at tools.wmflabs.org, you should be able to do that yourself.

I have no idea what cross-site restrictions prevent your PetScan tool from working, so I asked you because you seem to know the cause and the fix. But if you don't want to answer that question, that's fine with me.

Well, I don't know how tools.wmflabs.org is set up, so I can't tell you what to fix there. I suspect the header to add is

Access-Control-Allow-Origin: *.wmflabs.org

I am not in control of https://tools.wmflabs.org/wdq2sparql/ so I can't change anything there. I tried changing WiDaR to allow access for petscan on the PHP level, but that didn't work. I'd rather have a site-wide change anyway, for all of tools.wmflabs.org