iControlREST Access-Control-Allow-Origin Response Header

I have been investigating how to access the iControlREST API via JavaScript in a browser instead of with a server language.

 

How can we configure the BIG-IP to provide the proper Access-Control-Allow-Origin response HTTP header when making a CORS request to the API? (This header is listed in the API User Guide, which indicates to me that it's possible, but I find no documentation how to configure the list of allowed domains.)