diff --git a/bin/browserid b/bin/browserid
index 20696a82b8164259114c6a299007916241abda85..d4fcfc3c749f7d8f8dceab1186c26ffadedcee1b 100755
--- a/bin/browserid
+++ b/bin/browserid
@@ -135,6 +135,15 @@ app.use(function(req, res, next) {
   next();
 });
 
+// add 'Access-Control-Allow-Origin' headers to static resources that will be served
+// from the CDN.  We explicitly allow resources served from public_url to access these.
+app.use(function(req, res, next) {
+  res.on('header', function() {
+    res.setHeader("Access-Control-Allow-Origin", config.get('public_url'));
+  });
+  next();
+});
+
 app.use(express.static(static_root));
 
 // open the databse
diff --git a/bin/router b/bin/router
index 4b4bb5fe42b65d8756a9c38166995c6bae3bb2e8..671cfb39fa8a442c95501a7261840c8e68fcb6f3 100755
--- a/bin/router
+++ b/bin/router
@@ -20,7 +20,6 @@ logger = require('../lib/logging.js').logger,
 forward = require('../lib/http_forward').forward,
 shutdown = require('../lib/shutdown');
 
-
 var app = undefined;
 
 app = express.createServer();
@@ -78,9 +77,9 @@ if (statsd_config && statsd_config.enabled) {
 
 // Add Strict-Transport-Security headers if we're serving over SSL
 if (config.get('scheme') == 'https') {
-  app.use(function(req, resp, next) {
+  app.use(function(req, res, next) {
     // expires in 30 days, include subdomains like www
-    resp.setHeader("Strict-Transport-Security", "max-age=2592000; includeSubdomains");
+    res.setHeader("Strict-Transport-Security", "max-age=2592000; includeSubdomains");
     next();
     });
 }
diff --git a/lib/http_forward.js b/lib/http_forward.js
index 40f486cafefc8daad09191a29cfadedb291b935c..09d1023dd2d31be53282c22e22efa3ab1f09cd40 100644
--- a/lib/http_forward.js
+++ b/lib/http_forward.js
@@ -47,7 +47,7 @@ exports.forward = function(dest, req, res, cb) {
     res.statusCode = pres.statusCode;
 
     // forward necessary headers
-    ['Content-Type', 'Content-Length', 'Set-Cookie', 'Vary', 'Cache-Control', 'ETag', 'X-Frame-Options', 'Location']
+    ['Content-Type', 'Content-Length', 'Set-Cookie', 'Vary', 'Cache-Control', 'ETag', 'X-Frame-Options', 'Location', 'Access-Control-Allow-Origin']
       .forEach(function (header) {
         if (pres.headers.hasOwnProperty(header.toLowerCase())) {
           res.setHeader(header, pres.headers[header.toLowerCase()]);