How does the following script manage to pull data from an external domain without requiring CORS headers?

Script in Question:

You can click "view source" at the bottom to pull up the exact PHP and Javascript being used.

I used part of this script to extract images on a site of mine from another on separate domains and servers. I had to go to the one being scraped and add a CORS header "Access-Control-Allow-Origin" to allow my specific domain to do the AJAX $ .post and actually receive data.

The script above does not require any site to have the CORS header for security. As far as I can tell I’m doing nothing different.

I have an HTML form then I’m grabbing the field data with jQuery and doing a $ .post where the action is a PHP file that uses DomDocument to grab the HTML. The PHP then sorts through the data and echoes a JSON object. Then the jQuery sorts it all out and displays it on the page. Same thing they’re doing.

I can’t see how they’re getting around the need for a "Access-Control-Allow-Origin" header on the site they’re grabbing images from?

Thanks for your time and energy in this!