Found it.
This kinda explains it. It's called 'mixed content'
https://developers.google.com/web/fundamentals/security/prevent-mixed-content/what-is-mixed-content
It's not that it isn't supported, it's a security hole for HTTPS. When you go from a HTTPS site and make a request to a HTTP site, it falls under the 'mixed content' and gets blocked.
If you made the AJAX call from an HTTP site to another HTTP site, it would likely have gone through without issue. It was the call from HTTPS to HTTP that caused the problem.
preview.construct.net is an HTTPS site.
THANK YOU Fengist!
For me now things seems to be less foggy, thanks to your help.
(Ajax) HTTP -> (Ajax) HTTPS = No problems
(Ajax) HTTPS -> (Ajax) HTTP = Headaches :))