API: Allow anonymous CORS from anywhere, when specifically requested
This allows any external site to do with CORS what they can already do
with jsonp: submit a request that will be processed as if logged out.
This is done by accepting '*' as a value for the existing 'origin' URL
parameter that is currently required in order to do any CORS requests
against MediaWiki.
The response to such a request will specifically include
"Access-Control-Allow-Credentials: false" to instruct the browser not to
send cookies or other authentication data, and further the API will
apply all the same restrictions (forcing an anonymous user and
forbidding certain actions such as token fetch) that it currently does
for jsonp requests.
Bug: T62835
Change-Id: I30e359fb23f0511242dfb4bff68718668947aaf5