**Origin**
The [[ https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin | Access-Control-Allow-Origin ]] response header should be set for all requests and given a default value of `*`. for wikis that are not on an intranet (i.e. behind a firewall). It is [[ https://annevankesteren.nl/2012/12/cors-101 | completely safe ]] to set this as the default value. MediaWiki should allow this behavior to be disabled if you are running MediaWiki on an intranet.
Doing this will provide for a much better developer experience as developers will be able to use the API from another origin automatically.
Related: T210790
**Credentials**
If the API allows for authorization with the [[ https://oauth.net/2/grant-types/authorization-code/ | authorization code grant ]] (or some other authorization mechanism that and does not force the client app to expose it's own secrets), then it is safe to add [[ https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials | Access-Control-Allow-Credentials ]]Headers | Access-Control-Allow-Headers ]] with a value of `Authorization` (this header only needs to be added as as response to an `OPTIONS` request). However,This would allow non-whitelisted origins to make cross-origin authenticated requests.
If the API allows for browser-based authorization (i.e. if the user addsCookies) then the API will need to use the origin whitelist like the credentialsAction API does and add the [[ https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin | Access-Control-Allow-Origin ]] will need to be specific to the [[ https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Origin | Origin ]] requested.Credentials | Access-Control-Allow-Credentials ]] to an `OPTIONS` request from those whitelisted origins.
Regardless, Ssince credentialed requests are not cached anyways`Authorization` and `Cookie` headers bypass the cache, this shouldn't be a problemit is not necessary to vary a request by `Origin`.