There's some relatively straightforward HTTP magic that will allow browser clients to access resources on different domains via AJAX. I'd like to be able to configure Access-Control-Allow-Origin and Access-Control-Allow-Credentials response headers on an individual resource level as well as globally in my REST services.

See http://www.w3.org/TR/cors/ and https://developer.mozilla.org/En/HTTP_access_control.

Here’s the most basic example with authentication:

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="utf-8" />
    <title>CORS</title>
  <script type="text/javascript">
function testCORS() {
  var url = "http://localhost:8002/manage/v1/databases/Documents/config?format=json";
  if(XMLHttpRequest)
  {
    var request = new XMLHttpRequest();
    if("withCredentials" in request)
    {
     // Firefox 3.5 and Safari 4
     request.open('GET', url, true);
     request.withCredentials = "true"
     request.onreadystatechange = function() {
      console.log(this.responseText);
     };
     request.send();
    }
  }
}
  </script>
</head>
<body>
  <button onclick="testCORS()">CORS</button>
</body>
</html>

Sorry, Justin, but I can't make heads or tails of this comment. I don't see what the CORS example does that involves two origins nor do I understand how it bears on the REST library.

CORS allows you to do cross-domain AJAX without having to resort to something hacky, like JSONP. It would be nice to be able to configure it declaratively in the REST library. The example above illustrates a basic CORS-enabled client code. There are HTTP headers in the request and response that tell the browser to relax the same-origin security policy for XMLHttpRequest.