I am not able to access cross domain resources from my javascript file using XMLHttpRequest(). I understand that there are a few similar questions, I went through some of them but I have a bit of confusion regarding some of the details. I will mention my exact Setup and my specific doubts.

Setup:

I have my HTML and JS files on an apache server running on a ubuntu machine present in my local LAN network . The application is bascially hls plugin for video.js. From my windows PC in the same local LAN, I open the index.html file for the hls player. As long as I select video content which is present on the linux machine, it works fine as expected, but on giving it an external content( E.g. http://devimages.apple.com/iphone/samples/bipbop/bipbopall.m3u8), it fails and gives the error:

XMLHttpRequest cannot load http://devimages.apple.com/iphone/samples/bipbop/bipbopall.m3u8. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://172.20.33.49' is therefore not allowed access.

(Here 172.20.33.49 is the IP of the linux machine)

So my queries are:

1. On which server should the Access-Control-Allow-Origin header be set to appropriate value(lets say '*' for simplicity) for this to work: on my local linux server or the server hosting the external content or both?

2. Is there any setting/configuration/code change which I need to do in my browser/javascript or HTML code for this to work?

3. As a general query, is there anything the client can/should do for CORS to work or is it purely a server requirement/configuration?
4. Is the 'Access-Control-Allow-Origin' mandatory in HTTP responses? If not then what does its absence mean - Does it mean only resources from same domain can be accessed or does it mean all domains are accessible(equivalent to *) ? Is there any way a client can force a server to add this header?