Very interesting defense. It seems that it works because the attacking AJAX call is done with content dataType 'script'. I don't think it'll be too hard for the attacker to fix that.
It's either that or call a jsonp endpoint, which could still throw up the alert. CORS protects standard AJAX from requesting anything outside the current domain.