Some of us at the hackathon ran into this old bug again:
https://phabricator.wikimedia.org/T62835
namely, the MediaWiki API currently completely forbids cross-origin requests in the CORS config except for whitelisting authenticated requests from our own domains, whereas it could also allow non-authenticated cross-origin requests from non-whitelisted domains.
This would allow browser-side JavaScript code on other sites (tools, mashups, whatever) to get anonymous data from Wikipedia, Wikidata, etc without resorting to JSONP (an old-school hack whereby JSON data is loaded via a callback in a <script> tag).
JSONP is fragile, and is unsafe for other sites to rely on, as it's a potential cross-site scripting vector for them.
CORS is pretty mature these days, and should be something we can rely on. I hope. :)
-- brion