Sadly even my bounty did not help to get answers so I took a quick look around to gather some more infos on the issue myself... First...
the general problem of XSS
Looking at XSS and some related issues/links discusses more the problems than solutions (which is ok).
Looking at the related Firefox docs about the JavaScript same-origin policy it becomes clear that our global slogan Security over Freedom1 is also applied in this area. (Personally I don't like this way of solving the problem and would have liked to see another way to solve these problems as described at the end of this answer.)
1: nicely attributed by Benjamin Franklins (founder of the US) statement: He who sacrifices freedom for security deserves neither.
the CORS solution (=> external server dependencies)
The only supported standard/robust way seems to be to use the CORS (Cross Origin Resource Sharing) functionality.
Basically that means the external server has to at least deliver some CORS-compliant info (HTTP Header Access-Control-Allow-Origin: *
) to allow others (= the client browser) to request data/content/.... Which also means that if one does not have control over the external server there will be no general robust client-side/browser-way to do this at all :-(.
robust solution for server/client applications (if no external server control)
So if our external server does not support CORS or it is not configured to be usable by our requester origin (protocol/domain/port combination) it seems best to do this kind of access on our own applications server-side where we do not have these kinds of restrictions, but of course other implications.
client-side solution I would have liked to see
Some introduction first to understand the client-side world I experience browsing the web as a standard user ...
I personally do not like to be tracked when browsing the web nor do I like to be slowed down with poor hardware or network resources nor do I want to get exposed to simply avoided data security issues when browsing the web. That's why I am using Firefox with various useful plugins like RequestPolicy, AdBlock Plus, Ghostery, Cookie Monster, Flashblock ... . This already shows a complexity, no average user usually could/would handle. But especially looking at RequestPolicy it shows how access to external resources can be handled on the client-side.
So if e.g. Firefox (without these plugins) would support some functionality to show the user a dialog similar to RequestPolicy, that could state something like the following, we could loosen the one origin policy:
[x] 'http://srcdomain.com' (this site)
[ ] all sites (select to block/allow for all sites)
would like to request some data from
[x] 'http://dstdomain.com'
[x] 'http://dst2domain.com'
in a generally considered UNSECURE way.
You can selected one of the following options about how to proceed with
access to the selected sites from the selected sites:
[x] block always (generally recommended)
[ ] block only for this session
[ ] allow always (but not to subreferences) [non-recursively]
[ ] allow only for this session (but not to subreferences) [non-recursively]
[ ] allow always (and all subreferences) [recursively]
[ ] allow only for this session (and all subreferences) [recursively]
Of course this should be fomulated as clear as possible to the average user which I certainly did not do here and may be handled also by a default in the settings like the other existing technologies (Cookie Handling, JavaScript Handling, ...) do it.
This way I could solve the problem I have without much hassle, because I could nicely handle the amount of user setup required for this in my situation.
answer regarding easyXdm
I guess since they recommend CORS as well and depend on the browsers this is the only robust way although some workarounds may still exist depending on browsers/versions/plugins like Flash and so on may exist.