troubleshooting CORS problems

client.js

var handleRequest = function () {
  // custom logic here, yet to be called
};
var makeRequest = function (url) {
  'use strict';
  // not using jquery here, so it is verbose
  var requestQuote = new XMLHttpRequest();
  // I read that 'withCredentials' was neccessary for the server to set the proper
  // 'Access-Control-Allow-Credentials: true' header on their response.
  requestQuote.withCredentials = true;
  requestQuote.addEventListener('onload', handleRequest); // listen for request to finish (doesn't happen!)
  requestQuote.open('GET', url, true);
  window.console.log(requestQuote);
  requestQuote.send(); //request is sent but ultimately timesout or is insecure (Google Chrome)
};
var clickHandler = function () {
  'use strict';
  window.alert('click'); //this definitely happens!
  var url = 'http://api.forismatic.com/api/1.0/?method=getQuote&lang=en&format=json';
  //codepen web hack for https -> http CORS
  ///**/url = 'https://crossorigin.me/' + url; //This host may/may not have been down causing issues
  makeRequest(url);
};
var trigger = document.getElementById('next'); //button triggers next quote
trigger.onclick = clickHandler;