Trying to use API REST client with on the same domain works good while using it cross-domain (= CORS requests) seems to fail for several reasons :

1. On the server side: when a preflight request is send, the response headers do not contains the Access-Control-Allowed-Methods despite of the nelmio_cors config. The original request is then rejected (405 method not allowed). This header seems to be overwritten by an empty value somewhere in ezPublishRestBundle
2. On the client side: no session cookie is send within a request. This seems to come from a missing statement in CAPI.js :

   XHR.withCredentials = true;
   

Note: reaching problem 2 is only possible by hacking ezPublishRestBundle to get rid of problem 1

Full details
Read this stackoverflow post for a full detailed explanation of the problem