Manual:$wgCrossSiteAJAXdomainExceptions/en

Details
Domains that should not be allowed to make AJAX requests, even if they match one of the domains allowed by.

Uses the same syntax as $CrossSiteAJAXdomains.