I am writing a REST service that is to be accessed by web applications, desktop clients, mobile clients etc. via a REST interface. The idea is to store objects like notes, calendar events etc. in a common hierarchy and to provide HTTP methods for creating, updating and deleting documents, so this should be the ideal scope for a REST interface.

My plan is to have a REST server somewhere and web applications other servers using the data, so I need to make cross-domain request which are under special restrictions for security reasons (see e.g. this article). I also want to do some real-time updating web stuff.

Now I have been doing extensive research, learning what CORS is and trying it out (with tornado and jQuery.ajax), but by now, I’m getting the suspicion the setup I’m aiming is simply coming to soon. I only tried with Firefox (both 3.6 and 9), but I’m already having problems:

• HTTP authentication does not to work with jQuery.ajax() (even if withCredentials is set)
• some browsers do not support CORS at all (says Wikipedia)
• at least one FF plugin (RequestPolicy) makes CORS not work at all

I understand that CORS/AJAX is a possible solution, but there seem to exist too many restrictions for a practical use. What do you people who did this kind of thing before think: is this something I should just do and hope these problems will be solved by someone sometime in the future? Or is just too soon for the cross-domain REST/AJAX approach? What alternative would you choose for the above plans? As I am starting a new project, I would like to do it clean, without JSONP, proxies or other work-arounds, but if there’s no way around, I’d do that anyway.

Thanks for any answers!