Manual:$wgCrossSiteAJAXdomains

Details
Allows AJAX requests from certain domains to make cross-site requests to a wiki's API. This uses the Access-Control-Allow-Origin HTTP header. Note that some older browsers don't support this. This only affects requests to the API. Other entry points (index.php) are not affected.

This variable can be set in 3 ways:

It can be used to allow any domain to access the API via AJAX:

It can be set to an array of domains to allow:

By default the variable is set to an empty array (no external access allowed).