Manual:$wgAllowCrossOrigin

Security: $wgAllowCrossOrigin
Allow anonymous cross origin requests to the REST API.
Introduced in version:1.36.0 (Gerrit change 608190; git #ab06b056)
Removed in version:Still in use
Allowed values:(boolean)
Default value:false

Details

Allow anonymous cross origin requests to the REST API .

This should be disabled for intranet sites (sites behind a firewall).