diff --git a/index.js b/index.js
index 41945b8..69ccc85 100644
--- a/index.js
+++ b/index.js
@@ -58,6 +58,8 @@ module.exports = function(options) {
     // https://github.com/rs/cors/issues/10
     ctx.vary('Origin');
 
+    if (!requestOrigin) return await next();
+
     let origin;
     if (typeof options.origin === 'function') {
       origin = await options.origin(ctx);
diff --git a/test/cors.test.js b/test/cors.test.js
index 6d0ebda..02b0613 100644
--- a/test/cors.test.js
+++ b/test/cors.test.js
@@ -77,14 +77,6 @@ describe('cors.test.js', function() {
         .expect({ foo: 'bar' })
         .expect(200, done);
     });
-
-    it('should always set `Access-Control-Allow-Origin` to *, even if no Origin is passed on request', function(done) {
-      request(app.listen())
-        .get('/')
-        .expect('Access-Control-Allow-Origin', '*')
-        .expect({ foo: 'bar' })
-        .expect(200, done);
-    });
   });
 
   describe('options.secureContext=true', function() {