I think a requirement should be that the Access-Control-Allow-Origin header is given a default value of
* for wikis that are not on an intranet (i.e. behind a firewall). It is completely safe to set this as the default value. MediaWiki should allow this behavior to be disabled if you are running MediaWiki on an intranet.
Doing this will provide for a much better developer experience as developers will be able to use the API from another origin automatically.
See related task T210790.