diff --git a/beetsplug/web/__init__.py b/beetsplug/web/__init__.py
index 24bbf271e..34d33e01e 100644
--- a/beetsplug/web/__init__.py
+++ b/beetsplug/web/__init__.py
@@ -22,8 +22,7 @@ from flask import g
 from werkzeug.routing import BaseConverter, PathConverter
 import os
 import json
-from crossdomaindec import crossdomain
-
+from crossdomaindec import crossdomain, set_cors_origin
 
 # Utilities.
 
@@ -165,7 +164,7 @@ def before_request():
 # Items.
 
 @app.route('/item/<idlist:ids>')
-@crossdomain(origin='*')
+@crossdomain()
 @resource('items')
 def get_item(id):
     return g.lib.get_item(id)
@@ -173,14 +172,14 @@ def get_item(id):
 
 @app.route('/item/')
 @app.route('/item/query/')
-@crossdomain(origin='*')
+@crossdomain()
 @resource_list('items')
 def all_items():
     return g.lib.items()
 
 
 @app.route('/item/<int:item_id>/file')
-@crossdomain(origin='*')
+@crossdomain()
 def item_file(item_id):
     item = g.lib.get_item(item_id)
     response = flask.send_file(item.path, as_attachment=True,
@@ -190,7 +189,7 @@ def item_file(item_id):
 
 
 @app.route('/item/query/<query:queries>')
-@crossdomain(origin='*')
+@crossdomain()
 @resource_query('items')
 def item_query(queries):
     return g.lib.items(queries)
@@ -199,7 +198,7 @@ def item_query(queries):
 # Albums.
 
 @app.route('/album/<idlist:ids>')
-@crossdomain(origin='*')
+@crossdomain()
 @resource('albums')
 def get_album(id):
     return g.lib.get_album(id)
@@ -207,21 +206,21 @@ def get_album(id):
 
 @app.route('/album/')
 @app.route('/album/query/')
-@crossdomain(origin='*')
+@crossdomain()
 @resource_list('albums')
 def all_albums():
     return g.lib.albums()
 
 
 @app.route('/album/query/<query:queries>')
-@crossdomain(origin='*')
+@crossdomain()
 @resource_query('albums')
 def album_query(queries):
     return g.lib.albums(queries)
 
 
 @app.route('/album/<int:album_id>/art')
-@crossdomain(origin='*')
+@crossdomain()
 def album_art(album_id):
     album = g.lib.get_album(album_id)
     return flask.send_file(album.artpath)
@@ -230,7 +229,7 @@ def album_art(album_id):
 # Artists.
 
 @app.route('/artist/')
-@crossdomain(origin='*')
+@crossdomain()
 def all_artists():
     with g.lib.transaction() as tx:
         rows = tx.query("SELECT DISTINCT albumartist FROM albums")
@@ -241,7 +240,7 @@ def all_artists():
 # Library information.
 
 @app.route('/stats')
-@crossdomain(origin='*')
+@crossdomain()
 def stats():
     with g.lib.transaction() as tx:
         item_rows = tx.query("SELECT COUNT(*) FROM items")
@@ -265,8 +264,9 @@ class WebPlugin(BeetsPlugin):
     def __init__(self):
         super(WebPlugin, self).__init__()
         self.config.add({
-            'host': u'',
+            'host': u'127.0.0.1',
             'port': 8337,
+            'cors_origin': 'http://127.0.0.1',
         })
 
     def commands(self):
@@ -281,6 +281,8 @@ class WebPlugin(BeetsPlugin):
             if args:
                 self.config['port'] = int(args.pop(0))
 
+            set_cors_origin(self.config['cors_origin'])
+
             app.config['lib'] = lib
             app.run(host=self.config['host'].get(unicode),
                     port=self.config['port'].get(int),
diff --git a/beetsplug/web/crossdomaindec.py b/beetsplug/web/crossdomaindec.py
index 622b0455c..2fde1eae8 100644
--- a/beetsplug/web/crossdomaindec.py
+++ b/beetsplug/web/crossdomaindec.py
@@ -12,21 +12,31 @@
 #
 # The following view decorator implements this
 #
+# Note that some changes have been made to the original snippet
+# to allow changing the CORS origin after the decorator has been attached
+# This was done because the flask routing functions are defined before the
+# beetsplug hook is called.
 
 from datetime import timedelta
 from flask import make_response, request, current_app
 from functools import update_wrapper
 
+cors_origin = 'http://127.0.0.1' 
 
-def crossdomain(origin=None, methods=None, headers=None,
+def set_cors_origin(origin):
+    global cors_origin
+    cors_origin = origin
+
+def get_cors_origin():
+    return cors_origin
+
+def crossdomain(methods=None, headers=None,
                 max_age=21600, attach_to_all=True,
                 automatic_options=True):
     if methods is not None:
         methods = ', '.join(sorted(x.upper() for x in methods))
     if headers is not None and not isinstance(headers, basestring):
         headers = ', '.join(x.upper() for x in headers)
-    if not isinstance(origin, basestring):
-        origin = ', '.join(origin)
     if isinstance(max_age, timedelta):
         max_age = max_age.total_seconds()
 
@@ -48,7 +58,7 @@ def crossdomain(origin=None, methods=None, headers=None,
 
             h = resp.headers
 
-            h['Access-Control-Allow-Origin'] = origin
+            h['Access-Control-Allow-Origin'] = get_cors_origin()
             h['Access-Control-Allow-Methods'] = get_methods()
             h['Access-Control-Max-Age'] = str(max_age)
             if headers is not None: