If access is truly public, I would say that this is a good solution. However, if you want to restrict access to your site, you probably want to specify the explicitly permitted domain origin.
Since you say that your answer does not contain confidential information, you probably do not need to worry about hosting your service via HTTPS. The only reason you can do this is if the HTTPS client page is trying to access your non-HTTPS service. In this case, I assume that they will receive a warning about unsafe information sent / received when the AJAX service is called, and possibly even just silence. If this is a common enough case, I would say looking at the HTTPS service. Make sure your HTTPS certificate is certified correctly, because if the clientβs browser cannot verify the certificate, the AJAX request will be silent (unlike the prompt when you go directly to the HTTPS page)! In addition, I do not know how this will happen in your case, but whenever I worked with HTTPS, I usually had to configure everything to make them function properly.
In short, I would start with HTTP and then appreciate the need for HTTPS. Good luck