diff --git a/web/includes/functions.php b/web/includes/functions.php
index 6eedf585e..10f12c712 100644
--- a/web/includes/functions.php
+++ b/web/includes/functions.php
@@ -95,22 +95,20 @@ function noCacheHeaders()
 }
 
 function CORSHeaders() {
-	# This just allows cross server requests with no verification.  This is ok, because we do auth later.
-	header("Access-Control-Allow-Origin: *" );
 
 	# The following is left for future reference/use.
-#$valid = false;
-#header("Access-Control-Allow-Headers: x-requested-with,x-request");
-#foreach( dbFetchAll( 'SELECT * FROM Servers' ) as $row ) {
-#$Server = new Server( $row );
-#if ( $_SERVER['HTTP_ORIGIN'] == $Server->Url() ) {
-#$valid = true;
-#header("Access-Control-Allow-Origin: " . $Server->Url() );
-#}
-#}
-#if ( ! $valid ) {
-#Warning( $_SERVER['HTTP_ORIGIN'] . " is not found in servers list." );
-#}
+	$valid = false;
+	foreach( dbFetchAll( 'SELECT * FROM Servers' ) as $row ) {
+		$Server = new Server( $row );
+		if ( $_SERVER['HTTP_ORIGIN'] == $Server->Url() ) {
+			$valid = true;
+			header("Access-Control-Allow-Origin: " . $Server->Url() );
+			header("Access-Control-Allow-Headers: x-requested-with,x-request");
+		}
+	}
+	if ( ! $valid ) {
+		Warning( $_SERVER['HTTP_ORIGIN'] . " is not found in servers list." );
+	}
 }
 
 function getAuthUser( $auth )