Manual:$wgCrossSiteAJAXdomains/en

Details
Allows Ajax requests from certain domains to make cross-site requests to a wiki's API (see for example usage). This uses the Access-Control-Allow-Origin HTTP header. Note that some older browsers don't support this. This only affects requests to the API. Other entry points (index.php) are not affected.

The value must be a list of allowed domain names, which can include shell-style wildcards ( to match any character,   to match any number (including zero) of characters). An empty array means no external access is allowed.

Some examples:

Allow any domain to access the API via Ajax (This is insecure):

Allow two specific domains:

Allow all subdomains of a domain (including "deep" subdomains such as ):

See 9624 for a usage example.