diff --cc composer.lock
index 4849c75,041b966..0000000
--- a/composer.lock
+++ b/composer.lock
@@@ -4,9 -4,52 +4,52 @@@
          "Read more about it at http://getcomposer.org/doc/01-basic-usage.md#composer-lock-the-lock-file",
          "This file is @generated automatically"
      ],
 -    "hash": "d09b2b11da3a1be5d0b093cabd7e3d41",
 +    "hash": "2bd5814ec010b13a6997359736b58695",
      "packages": [
          {
+             "name": "asm89/stack-cors",
+             "version": "0.2.1",
+             "source": {
+                 "type": "git",
+                 "url": "https://github.com/asm89/stack-cors.git",
+                 "reference": "2d77e77251a434e4527315313a672f5801b29fa2"
+             },
+             "dist": {
+                 "type": "zip",
+                 "url": "https://api.github.com/repos/asm89/stack-cors/zipball/2d77e77251a434e4527315313a672f5801b29fa2",
+                 "reference": "2d77e77251a434e4527315313a672f5801b29fa2",
+                 "shasum": ""
+             },
+             "require": {
+                 "php": ">=5.3.2",
+                 "symfony/http-foundation": "~2.1",
+                 "symfony/http-kernel": "~2.1"
+             },
+             "type": "library",
+             "autoload": {
+                 "psr-0": {
+                     "Asm89\\Stack": "src/"
+                 }
+             },
+             "notification-url": "https://packagist.org/downloads/",
+             "license": [
+                 "MIT"
+             ],
+             "authors": [
+                 {
+                     "name": "Alexander",
+                     "email": "iam.asm89@gmail.com"
+                 }
+             ],
+             "description": "Cross-origin resource sharing library and stack middleware",
+             "homepage": "https://github.com/asm89/stack-cors",
+             "keywords": [
+                 "cors",
+                 "stack"
+             ],
+             "time": "2014-07-28 07:22:35"
+         },
+         {
              "name": "doctrine/annotations",
              "version": "v1.2.1",
              "source": {
diff --cc core/vendor/composer/installed.json
index 06b603a,3103969..0000000
--- a/core/vendor/composer/installed.json
+++ b/core/vendor/composer/installed.json
diff --git a/core/lib/Drupal/Core/CoreServiceProvider.php b/core/lib/Drupal/Core/CoreServiceProvider.php
index db54f91..862c30d 100644
--- a/core/lib/Drupal/Core/CoreServiceProvider.php
+++ b/core/lib/Drupal/Core/CoreServiceProvider.php
@@ -10,6 +10,7 @@
 use Drupal\Core\Cache\CacheContextsPass;
 use Drupal\Core\Cache\ListCacheBinsPass;
 use Drupal\Core\DependencyInjection\Compiler\BackendCompilerPass;
+use Drupal\Core\DependencyInjection\Compiler\CorsCompilerPass;
 use Drupal\Core\DependencyInjection\Compiler\StackedKernelPass;
 use Drupal\Core\DependencyInjection\Compiler\RegisterStreamWrappersPass;
 use Drupal\Core\DependencyInjection\ServiceProviderInterface;
@@ -52,6 +53,8 @@ public function register(ContainerBuilder $container) {
 
     $container->addCompilerPass(new BackendCompilerPass());
 
+    $container->addCompilerPass(new CorsCompilerPass());
+
     $container->addCompilerPass(new StackedKernelPass());
 
     // Collect tagged handler services as method calls on consumer services.
diff --git a/core/lib/Drupal/Core/DependencyInjection/Compiler/CorsCompilerPass.php b/core/lib/Drupal/Core/DependencyInjection/Compiler/CorsCompilerPass.php
index db234fa..3c66ad6 100644
--- a/core/lib/Drupal/Core/DependencyInjection/Compiler/CorsCompilerPass.php
+++ b/core/lib/Drupal/Core/DependencyInjection/Compiler/CorsCompilerPass.php
@@ -7,7 +7,30 @@
 
 namespace Drupal\Core\DependencyInjection\Compiler;
 
-class CorsCompilerPass {
+use Symfony\Component\DependencyInjection\Compiler\CompilerPassInterface;
+use Symfony\Component\DependencyInjection\ContainerBuilder;
 
-}
+/**
+ * Provides a compiler pass which disables the CORS middleware in case disabled.
+ *
+ * @see services.yml
+ */
+class CorsCompilerPass implements CompilerPassInterface {
+
+  /**
+   * {@inheritdoc}
+   */
+  public function process(ContainerBuilder $container) {
+    $enabled = FALSE;
 
+    if ($cors_config = $container->getParameter('cors.config')) {
+      $enabled = !empty($cors_config['enabled']);
+    }
+
+    // Remove the CORS middleware completly in case it was not enabled.
+    if (!$enabled) {
+      $container->removeDefinition('http_middleware.cors');
+    }
+  }
+
+}
diff --git a/sites/default/default.services.yml b/sites/default/default.services.yml
index 93a6131..31ab8bb 100755
--- a/sites/default/default.services.yml
+++ b/sites/default/default.services.yml
@@ -58,6 +58,7 @@ parameters:
   # Note: By default the configuration is done in a way that no behaviour is
   # changed.
   cors.config:
+    enabled: false
     # Specify allowed headers, like 'x-allowed-header'.
     allowedHeaders: []
     # Specify allowed request methods, specify '*' to allow all possible ones.