I think we need to consider what CORS is - and why it exists as this is the error! (having an unauthenticated web service is a different albeit important issue)
CORS is there to stop/allow web pages from accessing other web servers other than the server that the web page is originally server from. I.e. if I access a page from www.wombling.com I should not expect it to be fetching data from www.sap.com and presenting it. Mainly this restriction is to secure web pages and to stop injection of content from other sources. By using CORS a web service explicitly nominates the servers to which it should be allowed to publish content and which are allowed to read content from it.
Because your UI5 app is running on a different domain to your web service you cannot consume the web service inside the app unless the service supports CORS.
Have a look at this thread which deals with adding CORS support to your XSOData service.