diff --git a/code/default/launcher/web_control.py b/code/default/launcher/web_control.py
index 951690604c..a1c0be119f 100644
--- a/code/default/launcher/web_control.py
+++ b/code/default/launcher/web_control.py
@@ -201,10 +201,12 @@ def do_GET(self):
         if refer:
             refer_loc = urlparse(refer).netloc
             host = self.headers.get('Host')
-            if refer_loc != host:
+            if refer_loc != host and refer_loc not in config.allowed_refers:
                 xlog.warn("web control ref:%s host:%s", refer_loc, host)
                 return
 
+            self.set_CORS(CORS_header)
+
         # check for '..', which will leak file
         if re.search(r'(\.{2})', self.path) is not None:
             self.wfile.write(b'HTTP/1.1 404\r\n\r\n')
@@ -254,6 +256,7 @@ def do_GET(self):
                 path = '/' + '/'.join(url_path_list[4:])
                 controler = module_init.proc_handler[module]["imp"].local.web_control.ControlHandler(
                     self.client_address, self.headers, self.command, path, self.rfile, self.wfile)
+                controler.set_CORS(self.res_headers)
                 controler.do_GET()
                 return
             else: