"As a Client Developer, I want to make API calls from a Web browser, so that I can use the Web platform to make Wikimedia client apps."
This is essentially "configure CORS so that developers can make calls from other services."
Ideally, we would just set it up so CORS would allow calls from any domain for any route on the server.
Unfortunately, we're also going to be serving the API portal from the same host, and the Web interface for MediaWiki requires having CORS block access to the API from other domains (I think).
So, best case is full server is available without CORS blocking. Second-best case is that the MediaWiki routes are available with whatever CORS baloney they need, and the API gateway routes are unblocked by CORS.