With Chrome Web Apps, you can set the manifest file to ignore the same-origin policy. You can see this document: https://developer.chrome.com/extensions/xhr
That is the easiest solution I can think of. Alternatively, you may download the tgz file and decompress it on the client, or you can create a proxy to retrieve the JSON file (a web page that downloads the file and sends it back to the client with the appropriate headers).