Embedding is easy - just cut-n-paste the html initialization code generated by the toolkit (first run the application without embedding and see the source generated).
You are correct about xss - both page and application must come from the same server. There are some tricks, how to loose the xss limits to “same domain” from same server.
One practical solution is also to use iframes for embedding application. This way there are no xss problems at all.