Translations:Manual:$wgRestAllowCrossOriginCookieAuth/7/en

Therefore, it should be left disabled for most wikis and clients should instead use OAuth to make cross-origin authenticated requests.