Scoped REST-calls directly from web-pages using CORS

Nowadays, most web services offers some form of API-keys to access and update data programmatically. But there's usually a little catch: API-keys are full access and thus only usable from server to server. Some services has started to offer OAuth-access, but that involves some sort of authentication first.