I have noticed that many developers are not aware of how to bypass the browser's same-origin policy when making requests to MediaWiki's API from the browser on a different domain. These developers typically fallback to using JSONP to achieve their goals.
I personally was tripped up by this when first learning the Action API. I think the developer experience can be better without sacrificing security.
MediaWiki could add configuration that would add the Access-Control-Allow-Origin: * to all API requests. This is safe as long as MediaWiki is not being run on an intranet:
It is completely safe to augment any resource with Access-Control-Allow-Origin: * as long as the resource is not part of an intranet (behind a firewall).
A wiki should be able to opt-out (by default?) of this behavior since it is not safe to do this if the wiki is non-private and on an intranet (i.e. the only thing that secures the content is the firewall itself). However, it is currently possible to bypass this T210791. Making this configurable, would therefore increase the security of these wikis.
The origin parameter should only be used by whitelisted domains and * would have no effect.
For same-origin requests, the request will either send the credentials (Cookie or Authorization headers) which will bypass the cache, or, if the user does not have a session, it wont, in which case the cached cross-origin request is fine (and perhaps preferable?).