We don’t support CORS on the API unfortunately. statuses/oembed also requires OAuth in 1.1, which I could see being problematic with how you might be using it…
For the time being, you might find yourself better served by 1.0’s OEmbed endpoint using JSON-P.
