diff --git a/actions/hostmeta.php b/actions/hostmeta.php
index e921b5ad59..5caf1960cb 100644
--- a/actions/hostmeta.php
+++ b/actions/hostmeta.php
@@ -59,7 +59,13 @@ class HostMetaAction extends Action
             Event::handle('EndHostMetaLinks', array(&$xrd->links));
         }
 
+        // Output Cross-Origin Resource Sharing (CORS) header
+        if (common_config('discovery', 'cors')) {
+            header('Access-Control-Allow-Origin: *');
+        }
+
         header('Content-type: application/xrd+xml');
+
         print $xrd->toXML();
     }
 }
diff --git a/actions/userxrd.php b/actions/userxrd.php
index 1d888064d6..6fa738a5c9 100644
--- a/actions/userxrd.php
+++ b/actions/userxrd.php
@@ -30,6 +30,7 @@ class UserxrdAction extends XrdAction
     function prepare($args)
     {
         parent::prepare($args);
+        global $config;
 
         $this->uri = $this->trimmed('uri');
         $this->uri = self::normalize($this->uri);
diff --git a/config.php.sample b/config.php.sample
index 5378ad973d..87a1977b5f 100644
--- a/config.php.sample
+++ b/config.php.sample
@@ -41,6 +41,12 @@ $config['site']['path'] = 'statusnet';
 // Make the site invisible to  non-logged-in users
 // $config['site']['private'] = true;
 
+// Allow Cross-Origin Resource Sharing (CORS) for service discovery
+// (host-meta, XRD, etc.) Useful for AJAXy client applications. Should
+// probably NOT be on for private / intranet sites but OK for public sites.
+// Default is off.
+// $config['discovery']['cors'] = true;
+
 // If your web server supports X-Sendfile (Apache with mod_xsendfile,
 // lighttpd, nginx), you can enable X-Sendfile support for better
 // performance. Presently, only attachment serving when the site is
diff --git a/lib/default.php b/lib/default.php
index 4a7d6110c5..a1f1ed6d8f 100644
--- a/lib/default.php
+++ b/lib/default.php
@@ -349,4 +349,6 @@ $default =
               ),
         'router' =>
         array('cache' => true), // whether to cache the router object. Defaults to true, turn off for devel
+        'discovery' =>
+        array('cors' => false) // Allow Cross-Origin Resource Sharing for service discovery (host-meta, XRD, etc.)
     );
diff --git a/lib/xrdaction.php b/lib/xrdaction.php
index a0e7a1c415..3d55204f41 100644
--- a/lib/xrdaction.php
+++ b/lib/xrdaction.php
@@ -117,7 +117,12 @@ class XrdAction extends Action
             Event::handle('EndXrdActionLinks', array(&$xrd, $this->user));
         }
 
+        if (common_config('discovery', 'cors')) {
+            header('Access-Control-Allow-Origin: *');
+        }
+
         header('Content-type: application/xrd+xml');
+
         print $xrd->toXML();
     }