Manual:$wgAllowCrossOrigin

Details
Allow anonymous cross origin requests.

This should be disabled for intranet sites (sites behind a firewall).