Manual:$wgCrossSiteAJAXdomains

Details
Allows Ajax requests from certain domains to make cross-site requests to a wiki's API (see  for example usage).

This uses the Access-Control-Allow-Origin HTTP header.

Note that some older browsers [http://caniuse.com/#feat=cors don't support this].

This only affects requests to the api>Special:MyLanguage/API:Main page|API.

Other entry points (index.php) are not affected.

The value must be a list of allowed domain names, which can include shell-style wildcards ( to match any character,   to match any number (including zero) of characters).

An empty array means no external access is allowed.

Some examples:

Allow any domain to access the API via Ajax (This is insecure):

Allow two specific domains:

Allow all subdomains of a domain (including "deep" subdomains such as  ):

See 9624 for a usage example.