It’s just another GET parameter that you add in the URL. Like
https://en.wikipedia.org/w/api.php?action=query&origin=*&format=json&list=search&srsearch=magic. The asterisk is not a placeholder; you type it in.
It is explained in the API sandbox.
When accessing the API using a cross-domain AJAX request (CORS), set this to the originating domain. This must be included in any pre-flight request, and therefore must be part of the request URI (not the POST body).
For authenticated requests, this must match one of the origins in the
Origin header exactly, so it has to be set to something like
https://meta.wikimedia.org. If this parameter does not match the
Origin header, a 403 response will be returned. If this parameter matches the
Origin header and the origin is whitelisted, the
Access-Control-Allow-Credentials headers will be set.
For non-authenticated requests, specify the value *. This will cause the
Access-Control-Allow-Origin header to be set, but
Access-Control-Allow-Credentials will be
false and all user-specific data will be restricted.
To be honest I don’t quite understand, but plugging in
* seems to solve the CORS issue.