diff --git a/defaults/main.yml b/defaults/main.yml
index 46b6f459..c0c84d04 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -172,6 +172,8 @@ glance_keystone_auth_plugin: password
 ## Glance config
 glance_image_cache_max_size: 10737418240
 
+# CORS options
+glance_cors_allowed_origin: "{{ (glance_show_multiple_locations | bool) | ternary(external_lb_vip_address, None) }}"
 # If ``glance_api_workers`` is unset the system will use half the number of available VCPUS to
 # compute the number of api workers to use.
 # glance_api_workers: 16
diff --git a/releasenotes/notes/add-cors-config-6326223fe7fa7423.yaml b/releasenotes/notes/add-cors-config-6326223fe7fa7423.yaml
new file mode 100644
index 00000000..de1d5c8d
--- /dev/null
+++ b/releasenotes/notes/add-cors-config-6326223fe7fa7423.yaml
@@ -0,0 +1,5 @@
+---
+features:
+  - It is possible to configure Glance to allow cross origin requests by
+    specifying the allowed origin address using the ``glance_cors_allowed_origin``
+    variable. By default, this will be the load balancer address.
diff --git a/templates/glance-api.conf.j2 b/templates/glance-api.conf.j2
index 0971aa21..65bd99df 100644
--- a/templates/glance-api.conf.j2
+++ b/templates/glance-api.conf.j2
@@ -118,3 +118,10 @@ enabled = {{ glance_profiler_enabled }}
 [oslo_middleware]
 enable_proxy_headers_parsing = True
 {% endif %}
+
+{% if glance_cors_allowed_origin is not none %}
+[cors]
+allow_headers = origin,content-md5,x-image-meta-checksum,x-storage-token,accept-encoding,x-auth-token,x-identity-status,x-roles,x-service-catalog,x-user-id,x-tenant-id,x-openstack-request-id
+allow_methods = GET,POST,PUT,PATCH,DELETE
+allowed_origin = {{ glance_cors_allowed_origin }}
+{% endif %}