睇 MediaWiki:Apihelp-main-param-crossorigin 嘅原碼

When accessing the API using a cross-domain AJAX request (CORS) and using a session provider that is safe against cross-site request forgery (CSRF) attacks (such as OAuth), use this instead of <code>origin=*</code> to make the request authenticated (i.e., not logged out). This must be included in any pre-flight request, and therefore must be part of the request URI (not the POST body).

Note that most session providers, including standard cookie-based sessions, do not support authenticated CORS and cannot be used with this parameter.