[davewasmer]

If it were to operate as simply a REST API, then the service could simply return everything via JSONP to avoid the CORS trap.

[timfletcher]

JSONP only works for GET requests. It's not 'proper' AJAX. You wouldn't be able to POST, PUT or DELETE.

[mmahemoff]

JSONP should only be used for public web services. otherwise, any third party website could make privileged calls.

The BaaS architecture is actually a perfect situation for making privileged calls with CORS, because the server is wholly responsible for the user's identity and permissions.