In the current documentation for CORS usage in cross-site requests, it states:
"If the CORS origin check passes, MediaWiki will include the Access-Control-Allow-Credentials: true header in the response, so authentication cookies may be sent."
What it should also say -- once this is implemented -- is that if the CORS origin check doesn't pass, MediaWiki will not include the Access-Control-Allow-Credentials: true header in the response, so authentication cookies may not be sent, but MediaWiki will still include the Access-Control-Allow-Origin: * header so that unauthenticated requests can be accessed from any origin.
- JSONP, which is currently enabled, is an old, less secure workaround for the problem that CORS now solves correctly.
- A previous request, that was declined for invalid reasons.
- A related API roadmap discussion
- Users trying to access a MediaWiki API and expecting CORS to be enabled: 1, 2