The W3C working draft on cross-origin resource sharing ( http://www.w3.org/TR/cors/ ) specifies how browsers can send AJAX requests which normally wouldn't be allowed by same-origin rules. Specifically, the repsonse of the server must contain an Access-Control-Allow-Origin header with the list of domains which are allowed to send requests. At least Firefox 3.5 and Explorer 8 already support this. Support for such a setting in the MediaWiki API could allow user scripts to perform functions that affect multiple sites (such as moving images to Commons, or combining watchlists from multiple sites), toolserver scripts to access the wikis with a sound security model (the script can instruct the browser to do stuff on a wiki without asking for passwords or session cookies), and 3rd party MediaWiki installations to have a public read/write API suitable for widgets and mashups.
The only possible security problem I can think of would be if a MediaWiki installation would allow both user scripts and page edit requests from untrusted domains. You could either disallow remote API calls to write .js pages, or leave this to be the responsibility of the one configuring the site (ie. do not enable $wgAllowUserJs / $wgUseSiteJs when API requests from untrusted domains are enabled).
Version: unspecified
Severity: enhancement