No Access-Control-Allow-Origin Header on resource of API endpoint

Question

I am trying to use jQuery XHR to send a simple GET request to an API at Zillow. I can see in my browser, and in Postman, that the request returns correctly. I've censored my API key below -- but the request could not be simpler.

$.ajax({
            url: 'http://www.zillow.com/webservice/GetMonthlyPayments.htm?zws-id=<APIKEY_GOES_HERE>&zip=89509&output=json&price=300000&down=25',
            success: function(data){alert('done');},
            dataType: 'json'
          });

I can see in the console that it comes back with the standard Cross-Domain error, via localhost or when on the server.

No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin '<MY-DOMAIN>' is therefore not allowed access.

I've used many APIs this way and I don't understand -- is it really that stupid? They expose an API but don't allow CORS? That just doesn't make any sense to me and I figure I must be missing something obvious.

• Do I have to preflight due to some obscure condition on their end?
• If they really don't allow CORS, can anyone help me understand the purpose of this endpoint?
• The API is documented very nicely here .

Thanks Stack. Appreciate your help.

---

Edit: If you'd like to see what I'm seeing, you can get an API key with no sweat.

Answer 1

It looks like they have forbidden CORS. What you need to do is set up your own server that hits Zillow's endpoint, and use AJAX to hit that route on your own server. I believe the purpose of this is to suppress CSRF, so the user's cookies will not be sent to Zillow since it is going through your server instead of going directly to Zillow from the browser.