While rewriting Manual:CORS I did some tests of my own, using a local wiki to query the API of another local wiki. What I did not manage to get working is the request against the REST API using mw.ForeignRest, whether setting the 'anonymous' option to true or false. The example I provided there works for me fine, but when I substitute my local wiki for Wikimedia Commons, the request is blocked and the browser says that "No 'Access-Control-Allow-Origin' header is present on the requested resource". Any ideas what could be the matter? I have no such issues with anonymous and authenticated requests made to the Action API or with internal requests to the REST API.
Topic on Project:Support desk
After delving further, I found that $wgAllowCrossOrigin, which is false by default, needs to be set to true to enable CORS for the REST API. I will add it to the documentation.