Manual:$wgCrossSiteAJAXdomainExceptions/en

Details
Domains that should not be allowed to make AJAX requests, even if they match one of the domains allowed by $CrossSiteAJAXdomains.

Uses the same syntax as $CrossSiteAJAXdomains.