Manual:$wgCrossSiteAJAXdomains

Details
Allows AJAX requests from certain domains to make cross-site requests to a wiki's API. This uses the Access-Control-Allow-Origin HTTP header. Note that this is only supported by newer browsers (FF 3.5 and IE8 as of August 2009). This only affects requests to the API. Other entry points (index.php) are not affected.

This variable can be set in 3 ways.

It can be used to allow any domain to access the API via AJAX: It can be set to an array of domains to allow: Or, if $wgCrossSiteAJAXdomainsRegex is set to true, it can be an array of regexes to match against the request domain (using preg_match):

By default the variable is set to an empty array (no access allowed).