Manual:$wgRestAllowCrossOriginCookieAuth

Details
Allows authenticated cross-origin requests to the REST API with session cookies.

With this option enabled, any origin specified in $wgCrossSiteAJAXdomains may send session cookies for authorization in the REST API.

There is a performance impact by enabling this option.

Therefore, it should be left disabled for most wikis and clients should instead use OAuth to make cross-origin authenticated requests.