Index: includes/DefaultSettings.php
===================================================================
--- includes/DefaultSettings.php	(revision 54044)
+++ includes/DefaultSettings.php	(working copy)
@@ -4104,3 +4104,25 @@
  * Array: Ids of namespaces to attempt match in, in desired order.
  */
 $wgSecondaryGoNamespaces = null;
+
+
+/**
+ * Settings for incoming cross-site AJAX requests:
+ * Newer browser support cross-site AJAX when the target allows requests from
+ * the origin domain by the Access-Control-Allow-Origin header.
+ * This is currently only used by the API (requests to api.php)
+ * $wgCrossSiteAJAXdomains can be set as follows:
+ * 
+ * - the string '*' to allow requests from any domain
+ * - an array of domains to allow AJAX requests from, e.g.
+ *   array( 'http://en.wikipedia.org', 'http://en.wikibooks.org' );
+ * - if $wgCrossSiteAJAXdomainsRegex is true, an array of regexes to be
+ *   matched against the request origin. Anything that matches will be allowed
+ */
+$wgCrossSiteAJAXdomains = array();
+
+/**
+ * Set to true to treat $wgCrossSiteAJAXdomains as regexes instead of strings
+ */
+$wgCrossSiteAJAXdomainsRegex = false;
+
Index: api.php
===================================================================
--- api.php	(revision 54044)
+++ api.php	(working copy)
@@ -69,6 +69,24 @@
 	die(1);
 }
 
+// Selectively allow cross-site AJAX
+if ( $wgCrossSiteAJAXdomains && isset($_SERVER['HTTP_ORIGIN']) ) {
+	if ( $wgCrossSiteAJAXdomains == '*' ) {
+		header( 'Access-Control-Allow-Origin: *' );
+		header( 'Access-Control-Allow-Credentials: true' );
+	} elseif ( $wgCrossSiteAJAXdomainsRegex ) {
+		foreach ( $wgCrossSiteAJAXdomains as $regex ) {
+			if ( preg_match( $regex, $_SERVER['HTTP_ORIGIN'] ) ) {
+				header( "Access-Control-Allow-Origin: {$_SERVER['HTTP_ORIGIN']}" );
+				header( 'Access-Control-Allow-Credentials: true' );
+			}
+		}
+	} elseif ( in_array( $_SERVER['HTTP_ORIGIN'], $wgCrossSiteAJAXdomains ) ) {
+		header( "Access-Control-Allow-Origin: {$_SERVER['HTTP_ORIGIN']}" );
+		header( 'Access-Control-Allow-Credentials: true' );
+	}
+}
+
 // So extensions can check whether they're running in API mode
 define('MW_API', true);