The Access-Control-Allow-Origin response header should be set for all requests and given a default value of *. for wikis that are not on an intranet (i.e. behind a firewall). It is completely safe to set this as the default value. MediaWiki should allow this behavior to be disabled if you are running MediaWiki on an intranet.
Doing this will provide for a much better developer experience as developers will be able to use the API from another origin automatically.
Add Access-Control-Allow-Origin: * to all requests (config option to disable)
If the API allows for authorization with the authorization code grant (or some other authorization mechanism that and does not force the client app to expose it's own secrets), then it is safe to add Access-Control-Allow-Headers with a value of Authorization (this header only needs to be added as as response to an OPTIONS request). This would allow non-whitelisted origins to make cross-origin authenticated requests.
If the API allows for browser-based authorization (i.e. Cookies) then the API will need to use the origin whitelist like the Action API does and add the Access-Control-Allow-Credentials to an OPTIONS request from those whitelisted origins.
Regardless, since Authorization and Cookie headers bypass the cache, it is not necessary to vary a request by Origin.
- Ignore all Cookies and HTTP Basic Authorization
- Allow OAuth2's authorization code grant
- Add Access-Control-Allow-Headers: Authorization to all OPTIONS requests
- Use the existing origin whitelist and only do the following actions from one of those Origins:
- Add Access-Control-Allow-Origin: <Origin Requested> to all OPTIONS requests
- Add Access-Control-Allow-Credentials: true to all OPTIONS requests