Support cross-domain mashups with CORS

It is likely that many of your API consumers will want to mashup your API service with services from other agencies or private sector domains using purely client-side applications (for example, mobile apps or single page apps). Agencies should support this model by delivering Cross-Origin Resource Sharing (CORS) enabled services by default.

There’s a good description of CORS with examples from Mozilla under ‘Overview’