diff --git a/components/proxy/conf/Caddyfile b/components/proxy/conf/Caddyfile
index 6cbe0c8b63c6ee..19b0a8db29be18 100644
--- a/components/proxy/conf/Caddyfile
+++ b/components/proxy/conf/Caddyfile
@@ -150,7 +150,10 @@ api.{$GITPOD_DOMAIN} {
         output stdout
     }
 
-	# All traffic goes to HTTP endpoint. We handle gRPC using connect.build
+	gitpod.cors_origin {
+		allowed_origins https://{$GITPOD_DOMAIN}
+	}
+
 	reverse_proxy public-api-server.{$KUBE_NAMESPACE}.{$KUBE_DOMAIN}:9002
 }
 
diff --git a/components/proxy/plugins/corsorigin/cors_origin.go b/components/proxy/plugins/corsorigin/cors_origin.go
index 603a31737df5a4..2fb69b5f1c7907 100644
--- a/components/proxy/plugins/corsorigin/cors_origin.go
+++ b/components/proxy/plugins/corsorigin/cors_origin.go
@@ -8,6 +8,7 @@ import (
 	"fmt"
 	"net/http"
 	"strconv"
+	"strings"
 
 	"github.com/caddyserver/caddy/v2"
 	"github.com/caddyserver/caddy/v2/caddyconfig/caddyfile"
@@ -27,9 +28,10 @@ func init() {
 
 // CorsOrigin implements an HTTP handler that generates a valid CORS Origin value
 type CorsOrigin struct {
-	AnyDomain  bool   `json:"any_domain,omitempty"`
-	BaseDomain string `json:"base_domain,omitempty"`
-	Debug      bool   `json:"debug,omitempty"`
+	AnyDomain      bool     `json:"any_domain,omitempty"`
+	BaseDomain     string   `json:"base_domain,omitempty"`
+	AllowedOrigins []string `json:"allowed_origins,omitempty"`
+	Debug          bool     `json:"debug,omitempty"`
 }
 
 // CaddyModule returns the Caddy module information.
@@ -54,9 +56,12 @@ func (m CorsOrigin) ServeHTTP(w http.ResponseWriter, r *http.Request, next caddy
 	var allowedOrigins []string
 	if m.AnyDomain {
 		allowedOrigins = []string{"*"}
-	} else {
+	} else if m.BaseDomain != "" {
 		allowedOrigins = []string{"*." + m.BaseDomain}
+	} else if len(m.AllowedOrigins) != 0 {
+		allowedOrigins = m.AllowedOrigins
 	}
+
 	c := cors.New(cors.Options{
 		AllowedOrigins:   allowedOrigins,
 		AllowedMethods:   allowedMethods,
@@ -98,8 +103,15 @@ func (m *CorsOrigin) UnmarshalCaddyfile(d *caddyfile.Dispenser) error {
 			}
 
 			m.AnyDomain = b
+
 		case "base_domain":
 			m.BaseDomain = value
+
+		case "allowed_origins":
+			// comma separated
+			origins := strings.Split(value, ",")
+			m.AllowedOrigins = origins
+
 		case "debug":
 			b, err := strconv.ParseBool(value)
 			if err != nil {
@@ -112,8 +124,12 @@ func (m *CorsOrigin) UnmarshalCaddyfile(d *caddyfile.Dispenser) error {
 		}
 	}
 
-	if !m.AnyDomain && m.BaseDomain == "" {
-		return fmt.Errorf("Please configure the base_domain subdirective")
+	if m.BaseDomain != "" && len(m.AllowedOrigins) != 0 {
+		return fmt.Errorf("base_domain and allowed_origins subdirectives are mutually exclusive, configure only one of them")
+	}
+
+	if !m.AnyDomain && m.BaseDomain == "" && len(m.AllowedOrigins) == 0 {
+		return fmt.Errorf("Please configure the base_domain or allowed_origins subdirective")
 	}
 
 	return nil