Final thing I have found, just to help anyone else who comes up against this. If you own the responding server (i.e. are in control of the app code), you can respond with the header:
'access-control-allow-origin' => "*"
This is not recommended unless the API is intended to be public, but I think in these cases this would be fine. More info here: