diff --git a/composer.lock b/composer.lock
index d9fa2a1..984449a 100644
--- a/composer.lock
+++ b/composer.lock
@@ -4,10 +4,53 @@
         "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#composer-lock-the-lock-file",
         "This file is @generated automatically"
     ],
-    "hash": "5e14f057cfce03180014a6a75e38de6f",
-    "content-hash": "7d72dc63a3981fb6edb92f6786ba94b1",
+    "hash": "0d2a185c3b89c9d5b75b18ae38c675a1",
+    "content-hash": "58f39297f0dffb860923a4d452d51b85",
     "packages": [
         {
+            "name": "asm89/stack-cors",
+            "version": "0.2.1",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/asm89/stack-cors.git",
+                "reference": "2d77e77251a434e4527315313a672f5801b29fa2"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/asm89/stack-cors/zipball/2d77e77251a434e4527315313a672f5801b29fa2",
+                "reference": "2d77e77251a434e4527315313a672f5801b29fa2",
+                "shasum": ""
+            },
+            "require": {
+                "php": ">=5.3.2",
+                "symfony/http-foundation": "~2.1",
+                "symfony/http-kernel": "~2.1"
+            },
+            "type": "library",
+            "autoload": {
+                "psr-0": {
+                    "Asm89\\Stack": "src/"
+                }
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "MIT"
+            ],
+            "authors": [
+                {
+                    "name": "Alexander",
+                    "email": "iam.asm89@gmail.com"
+                }
+            ],
+            "description": "Cross-origin resource sharing library and stack middleware",
+            "homepage": "https://github.com/asm89/stack-cors",
+            "keywords": [
+                "cors",
+                "stack"
+            ],
+            "time": "2014-07-28 07:22:35"
+        },
+        {
             "name": "composer/installers",
             "version": "v1.0.21",
             "source": {
diff --git a/core/composer.json b/core/composer.json
index ad85425..ff1e6f0 100644
--- a/core/composer.json
+++ b/core/composer.json
@@ -31,7 +31,8 @@
         "symfony/psr-http-message-bridge": "v0.2",
         "zendframework/zend-diactoros": "~1.1",
         "composer/semver": "~1.0",
-        "paragonie/random_compat": "~1.0"
+        "paragonie/random_compat": "~1.0",
+        "asm89/stack-cors": "~0.2.1"
     },
     "require-dev": {
         "behat/mink": "~1.6",
diff --git a/core/core.services.yml b/core/core.services.yml
index d9b1839..fd1fd71 100644
--- a/core/core.services.yml
+++ b/core/core.services.yml
@@ -33,6 +33,14 @@ parameters:
     - sftp
     - webcal
     - rtsp
+  cors.config:
+    enabled: false
+    allowedHeaders: []
+    allowedMethods: []
+    allowedOrigins: ['*']
+    exposedHeaders: false
+    maxAge: false
+    supportsCredentials: false
 services:
   # Simple cache contexts, directly derived from the request context.
   cache_context.ip:
@@ -695,6 +703,11 @@ services:
       - { name: http_middleware, priority: 50 }
     calls:
       - [setContainer, ['@service_container']]
+  http_middleware.cors:
+     class: Asm89\Stack\Cors
+     arguments: ['%cors.config%']
+     tags:
+       - { name: http_middleware }
   psr7.http_foundation_factory:
     class: Symfony\Bridge\PsrHttpMessage\Factory\HttpFoundationFactory
   psr7.http_message_factory:
diff --git a/core/lib/Drupal/Core/CoreServiceProvider.php b/core/lib/Drupal/Core/CoreServiceProvider.php
index 0b6ce52..86a3993 100644
--- a/core/lib/Drupal/Core/CoreServiceProvider.php
+++ b/core/lib/Drupal/Core/CoreServiceProvider.php
@@ -5,6 +5,7 @@
 use Drupal\Core\Cache\Context\CacheContextsPass;
 use Drupal\Core\Cache\ListCacheBinsPass;
 use Drupal\Core\DependencyInjection\Compiler\BackendCompilerPass;
+use Drupal\Core\DependencyInjection\Compiler\CorsCompilerPass;
 use Drupal\Core\DependencyInjection\Compiler\GuzzleMiddlewarePass;
 use Drupal\Core\DependencyInjection\Compiler\ContextProvidersPass;
 use Drupal\Core\DependencyInjection\Compiler\ProxyServicesPass;
@@ -63,6 +64,8 @@ public function register(ContainerBuilder $container) {
 
     $container->addCompilerPass(new BackendCompilerPass());
 
+    $container->addCompilerPass(new CorsCompilerPass());
+
     $container->addCompilerPass(new StackedKernelPass());
 
     $container->addCompilerPass(new StackedSessionHandlerPass());
diff --git a/core/lib/Drupal/Core/DependencyInjection/Compiler/CorsCompilerPass.php b/core/lib/Drupal/Core/DependencyInjection/Compiler/CorsCompilerPass.php
new file mode 100644
index 0000000..6f58ff7
--- /dev/null
+++ b/core/lib/Drupal/Core/DependencyInjection/Compiler/CorsCompilerPass.php
@@ -0,0 +1,31 @@
+<?php
+
+namespace Drupal\Core\DependencyInjection\Compiler;
+
+use Symfony\Component\DependencyInjection\Compiler\CompilerPassInterface;
+use Symfony\Component\DependencyInjection\ContainerBuilder;
+
+/**
+ * Provides a compiler pass which disables the CORS middleware in case disabled.
+ *
+ * @see services.yml
+ */
+class CorsCompilerPass implements CompilerPassInterface {
+
+  /**
+   * {@inheritdoc}
+   */
+  public function process(ContainerBuilder $container) {
+    $enabled = FALSE;
+
+    if ($cors_config = $container->getParameter('cors.config')) {
+      $enabled = !empty($cors_config['enabled']);
+    }
+
+    // Remove the CORS middleware completly in case it was not enabled.
+    if (!$enabled) {
+      $container->removeDefinition('http_middleware.cors');
+    }
+  }
+
+}
diff --git a/core/tests/Drupal/KernelTests/Core/HttpKernel/CorsIntegrationTest.php b/core/tests/Drupal/KernelTests/Core/HttpKernel/CorsIntegrationTest.php
new file mode 100644
index 0000000..e73efa3
--- /dev/null
+++ b/core/tests/Drupal/KernelTests/Core/HttpKernel/CorsIntegrationTest.php
@@ -0,0 +1,84 @@
+<?php
+
+namespace Drupal\KernelTests\Core\HttpKernel;
+
+use Drupal\Core\DependencyInjection\ContainerBuilder;
+use Drupal\Core\DependencyInjection\ServiceModifierInterface;
+use Drupal\KernelTests\KernelTestBase;
+use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpFoundation\Response;
+
+/**
+ * Tests CORS provided by Drupal.
+ *
+ * @see sites/default/default.services.yml
+ * @see \Asm89\Stack\Cors
+ * @see \Asm89\Stack\CorsService
+ *
+ * @group Http
+ */
+class CorsIntegrationTest extends KernelTestBase implements ServiceModifierInterface {
+
+  /**
+   * The cors container configuration.
+   *
+   * @var null|array
+   */
+  protected $corsConfig = NULL;
+
+  /**
+   * {@inheritdoc}
+   */
+  public static $modules = ['system', 'test_page_test'];
+
+  protected function setUp() {
+    parent::setUp();
+
+    $this->installSchema('system', 'router');
+    \Drupal::service('router.builder')->rebuild();
+  }
+
+  public function testCrossSiteRequest() {
+
+    // Test default parameters.
+    $cors_config = $this->container->getParameter('cors.config');
+    $this->assertSame(FALSE, $cors_config['enabled']);
+    $this->assertSame([], $cors_config['allowedHeaders']);
+    $this->assertSame([], $cors_config['allowedMethods']);
+    $this->assertSame(['*'], $cors_config['allowedOrigins']);
+
+    $this->assertSame(FALSE, $cors_config['exposedHeaders']);
+    $this->assertSame(FALSE, $cors_config['maxAge']);
+    $this->assertSame(FALSE, $cors_config['supportsCredentials']);
+
+    // Configure the CORS stack to allow a specific set of origins, but don't
+    // specify an origin header.
+    $request = Request::create('/test-page');
+    $request->headers->set('Origin', '');
+    $cors_config['enabled'] = TRUE;
+    $cors_config['allowedOrigins'] = ['http://example.com'];
+
+    $this->corsConfig = $cors_config;
+    $this->container->get('kernel')->rebuildContainer();
+
+    /** @var \Symfony\Component\HttpFoundation\Response $response */
+    $response = $this->container->get('http_kernel')->handle($request);
+    $this->assertEquals(Response::HTTP_FORBIDDEN, $response->getStatusCode());
+    $this->assertEquals('Not allowed.', $response->getContent());
+
+    // Specify a valid origin.
+    $request->headers->set('Origin', 'http://example.com');
+    $response = $this->container->get('http_kernel')->handle($request);
+    $this->assertEquals(Response::HTTP_OK, $response->getStatusCode());
+  }
+
+  /**
+   * {@inheritdoc}
+   */
+  public function alter(ContainerBuilder $container) {
+    if (isset($this->corsConfig)) {
+      $container->setParameter('cors.config', $this->corsConfig);
+    }
+  }
+
+}
diff --git a/sites/default/default.services.yml b/sites/default/default.services.yml
index 23f6483..b310535 100644
--- a/sites/default/default.services.yml
+++ b/sites/default/default.services.yml
@@ -153,3 +153,19 @@ parameters:
     - sftp
     - webcal
     - rtsp
+
+   # Configure Cross-Site HTTP requests (CORS).
+   # Read https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS
+   # for more information about the topic in general.
+   # Note: By default the configuration is disabled.
+  cors.config:
+    enabled: false
+    # Specify allowed headers, like 'x-allowed-header'.
+    allowedHeaders: []
+    # Specify allowed request methods, specify '*' to allow all possible ones.
+    allowedMethods: []
+    # Configure requests allowed from specific origins.
+    allowedOrigins: ['*']
+    exposedHeaders: false
+    maxAge: false
+    supportsCredentials: false
