Some of us at the hackathon ran into this old bug again:
https://phabricator.wikimedia.org/T62835
namely, the MediaWiki API currently completely forbids cross-origin
requests in the CORS config except for whitelisting authenticated requests
from our own domains, whereas it could also allow non-authenticated
cross-origin requests from non-whitelisted domains.
This would allow browser-side JavaScript code on other sites (tools,
mashups, whatever) to get anonymous data from Wikipedia, Wikidata, etc
without resorting to JSONP (an old-school hack whereby JSON data is loaded
via a callback in a <script> tag).
JSONP is fragile, and is unsafe for other sites to rely on, as it's a
potential cross-site scripting vector for them.
CORS is pretty mature these days, and should be something we can rely on. I
hope. :)
-- brion