To prevent a cross-domain request, origin and target domain must be exactly the same: in host, domain and port (same origin policy). However, you have some options to prevent CORS anyway:
- Put website and API in the same domain - kinda obvious ;)
- Create some kind of serverside proxy-script (PHP, Node.js or whatever you like), which routes the request via curl or anything similar to the API. This should prevent the OPTIONS headers, but needs another HTTP request (AJAX <-> website httpd <- > API httpd).
- A similar solution is to use Apache as a reverse proxy (howto here). Like the script solution this also results in two HTTP requests, but I assume a reverse proxy causes less overhead.
- You could also use JSONP, but the API need to support it (so you might have to reimplement the website<->API communication) and your API won't be RESTful anymore (if you care about it).
I would go either way one or way three as the script solution just feels too clumsy ;) I would also suggest to check whether it is really necessary to run API and website on different domains. The OPTIONS header usually don't cause too much overhead so you might consider to optimize other parts of your code first.
Maybe you could put the website and the API in one domain and only the database for the API on another server? Just an idea...