I'd like to point out that this  approach is not perfect. One situation in which it fails is in the universal javascript environment. To the best of my knowlege, the server is unable to prepare the closure in a way that is not suseptible to a change in source code. While CORS would protect the server from processing request made by a malicious local host, something just feels wrong about storing the authentication information in generated source code. If you have any other ideas or solution, please comment.