OK, I've been digging into this a bit further. When I do a request from a remote machine, I do get an Access-Control-Allow-Origin: * header, but from my local machine, this header is missing.

I assume that the proxy on this network discards the header and thus breaks the site.