See http://www.w3.org/TR/cors/ for the specification and
https://developer.mozilla.org/En/HTTP_Access_Control describes a nice description with examples.
basically if http://example.com needs to request the stambol server running at http://stanbol.demo.org
than the header will include
GET /resources/public-data/ HTTP/1.1
and the response needs to include
telling the browser that it can use the returned data with any other domain.
For requests other than GET and POST (with content types != application/x-www-form-urlencoded, multipart/form-data, or text/plain) one need to use Preflighted requests (something more complex because is requires the use of an additional OPTIONS request).
This would be an replacement for the request to implement JSONP. In addition it is based on an official specification by W3C and it supports all HTTP request types.