diff --git a/core/core.services.yml b/core/core.services.yml
index 58dac71..262357b 100644
--- a/core/core.services.yml
+++ b/core/core.services.yml
@@ -414,7 +414,7 @@ services:
       - { name: http_middleware, priority: 100 }
   http_middleware.cors:
     class: Asm89\Stack\Cors
-    arguments: [{ allowedHeaders: ['*'], allowedMethods: ['DELETE', 'GET', 'POST', 'PUT'], allowedOrigins: ['*'] }]
+    arguments: [%cors.config%]
     tags:
     - { name: http_middleware }
   language_manager:
diff --git a/core/modules/system/src/Tests/HttpKernel/CorsIntegrationTest.php b/core/modules/system/src/Tests/HttpKernel/CorsIntegrationTest.php
index fde2be5..3d477a0 100644
--- a/core/modules/system/src/Tests/HttpKernel/CorsIntegrationTest.php
+++ b/core/modules/system/src/Tests/HttpKernel/CorsIntegrationTest.php
@@ -7,7 +7,47 @@
 
 namespace Drupal\system\Tests\HttpKernel;
 
-class CorsIntegrationTest {
+use Drupal\simpletest\WebTestBase;
+use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpFoundation\Response;
 
-}
+/**
+ * Tests CORS provided by Drupal.
+ *
+ * @see sites/default/default.services.yml
+ * @see \Asm89\Stack\Cors
+ * @see \Asm89\Stack\CorsService
+ *
+ * @group Http
+ */
+class CorsIntegrationTest extends WebTestBase {
+
+  public function testCrossSiteRequest() {
+    // Test default parameters.
+    $cors_config = $this->container->getParameter('cors.config');
+    $this->assertEqual([], $cors_config['allowedHeaders']);
+    $this->assertEqual([], $cors_config['allowedMethods']);
+    $this->assertEqual(['*'], $cors_config['allowedOrigins']);
+
+    $this->assertEqual(FALSE, $cors_config['allowedHeaders']);
+    $this->assertEqual(FALSE, $cors_config['allowedMethods']);
+    $this->assertEqual(FALSE, $cors_config['supportsCredentials']);
 
+    // Configure the CORS stack to allow a specific set of origins, but don't
+    // specify an origin header.
+    $request = Request::create('/');
+    $request->headers->set('Origin', '');
+    $this->container->set('http_middleware.cors', NULL);
+    $this->container->setParameter('allowedOrigins', ['http://example.com']);
+
+    $response = $this->container->get('http_kernel')->handle($request);
+    $this->assertEqual(Response::HTTP_FORBIDDEN, $response->getStatusCode());
+    $this->assertEqual('Not allowed', $response->getContent());
+
+    // Specify a valid origin.
+    $request->headers->set('Origin', 'http://example.com');
+    $response = $this->container->get('http_kernel')->handle($request);
+    $this->assertEqual(Response::HTTP_OK, $response->getStatusCode());
+  }
+
+}
diff --git a/sites/default/default.services.yml b/sites/default/default.services.yml
index a5307ec..93a6131 100644
--- a/sites/default/default.services.yml
+++ b/sites/default/default.services.yml
@@ -51,3 +51,19 @@ parameters:
     # Default key/value expirable storage service to use.
     # @default keyvalue.database.expirable
     # default: keyvalue.database.expirable
+
+  # Allow to configure Cross-Site HTTP requests (CORS).
+  # Read https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS
+  # for more information about the topic in general.
+  # Note: By default the configuration is done in a way that no behaviour is
+  # changed.
+  cors.config:
+    # Specify allowed headers, like 'x-allowed-header'.
+    allowedHeaders: []
+    # Specify allowed request methods, specify '*' to allow all possible ones.
+    allowedMethods: []
+    # Configure requests allowed from specific origins.
+    allowedOrigins: ['*']
+    exposedHeaders: false
+    maxAge: false
+    supportsCredentials: false