If you have a request like this:
curl 'https://meta.wikimedia.org/w/api.php?action=query&format=json&list=users&usprop=blockinfo&origin=*&ususerids=123' -X OPTIONS -H 'access-control-request-method: GET' -H 'origin: http://127.0.0.1:8888' -H 'access-control-request-headers: x-requested-with' --compressed -I
It fails (and by failure, I mean it is missing the Access-Control-Allow-Origin header) because it has both Access-Control-Request-Method and Access-Control-Request-Headers headers (which is included in the preflight request of Chrome and Firefox). If you remove either header, the request will succeed.
Here's the error message in the browser's console:
XMLHttpRequest cannot load https://meta.wikimedia.org/w/api.php?action=query&format=json&list=users&usprop=blockinfo&origin=*&ususerids=123. Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://127.0.0.1:8888' is therefore not allowed access.