When accessing the API using a cross-domain AJAX request (CORS), set this to the originating domain. This must be included in any pre-flight request, and therefore must be part of the request URI (not the POST body). This must match one of the origins in the Origin
header exactly, so it has to be set to something like https://en.wikipedia.org or https://meta.wikimedia.org. If this parameter does not match the Origin
header, a 403 response will be returned. If this parameter matches the Origin
header and the origin is whitelisted, an Access-Control-Allow-Origin
header will be set.
MediaWiki:Apihelp-main-param-origin
From GelhausRef