> It is completely safe to augment any resource with Access-Control-Allow-Origin: * as long as the resource is not part of an intranet (behind a firewall).
https://annevankesteren.nl/2012/12/cors-101
~~We do **not** want to do this as the default for MediaWiki, since MediaWiki //could// be run on an intranet (or behind a firewall) and it would be unsafe to make it the default.~~ Since we allow callers to set the `Access-Control-Allow-Origin` header themselves and we do not plant to change that, it is safe to set this as the default for MediaWiki (see T210791).
Regardless, since all of Wikimedia's wikis exist on the internet, it is safe to set the default `origin` param to `*`. It makes the developer experience a lot better as developers do not need to understand the same-origin policy (as well as our API configuration for CORS) in order to consume our data.
If a global config doesn't exist to do this, one should be created.