Is it possible to enable cross-site scripting?
Yes, but this is a client-side setting which needs to be enabled on every single browser which accesses your learning content.
In some organisations - for example in ours - users are not allowed to change security-sensitive settings of their browsers.
I don't even know, whether such a setting is available in all browsers.
In your original post, you stated that your SCORM SCO does not need server communication at all.
How about changing your learning object into a SCORM Asset?
Unlike a SCO, Assets don't need to perform a handshake with the server.
So, - I guess -, they can be served from an external server.
In case this doesn't work. You may consider creating a SCO which consists of a frameset (or an iframe).
The frame contents can be serverd from an external server.
Assuming that no communication needs to take place between the frame contents and the SCO.