primus · 3rd-Eden · Mar 19, 2014 · Mar 12, 2014 · Mar 12, 2014 · Mar 12, 2014
diff --git a/README.md b/README.md
@@ -116,9 +116,20 @@ Name                | Description                               | Default
 authorization       | Authorization handler                     | `null`
 pathname            | The URL namespace that Primus can own     | `/primus`
 parser              | Message encoder for all communication     | `JSON`
-transformer         | The tranformer we should use internally   | `websockets`
+transformer         | The transformer we should use internally  | `websockets`
 plugin              | The plugins that should be applied        | `{}`
 timeout             | The heartbeat timeout                     | `35000`
+origins             | **cors** List of origins                  | `*`
+methods             | **cors** List of accepted HTTP methods    | `GET,HEAD,PUT,POST,DELETE,OPTIONS`
+credentials         | **cors** Allow sending of credentials     | `true`
+maxAge              | **cors** Cache duration of cors preflight | `30 days`
+headers             | **cors** Allowed headers                  | `false`
+exposed             | **cors** Headers exposed to the client    | `false`
+
+The options that are prefixed with **cors** are supplied to our
+[access-control](http://github.com/primus/access-control) module which handles
+HTTP Access Control (CORS), so for a more detailed explanation of these options
+check it out.
 
 The heartbeat timeout is used to forcefully disconnect a spark if no data is
 received from the client within the specified amount of time. It is possible

diff --git a/package.json b/package.json
@@ -29,7 +29,8 @@
     "load": "1.0.x",
     "predefine": "0.0.x",
     "eventemitter3": "0.1.x",
-    "forwarded-for": "0.0.x"
+    "forwarded-for": "0.0.x",
+    "access-control": "0.0.x"
   },
   "devDependencies": {
     "binary-pack": "0.0.x",

diff --git a/transformer.js b/transformer.js
@@ -2,6 +2,7 @@
 
 var querystring = require('querystring').parse
   , EventEmitter = require('eventemitter3')
+  , access = require('access-control')
   , url = require('url').parse;
 
 //
@@ -24,6 +25,11 @@ function Transformer(primus) {
   this.service = null;          // Stores the real-time service.
   this.buffer = null;           // Buffer of the library.
 
+  //
+  // Configure the HTTP Access Control (CORS) handling.
+  //
+  this.cors = access(primus.options);
+
   EventEmitter.call(this);
   this.initialise();
 }
@@ -140,6 +146,14 @@ Transformer.prototype.initialise = function initialise() {
  */
 Transformer.prototype.request = function request(req, res) {
   if (!this.test(req)) return this.emit('previous::request', req, res);
+
+  //
+  // HTTP Access Control (CORS) should only be applied to primus routes. As the
+  // `access-control` will only add headers when a `Origin` header is send to
+  // the server, these will not be any overhead for normal requests.
+  //
+  if (this.cors(req, res)) return; // Cors request handled.
+
   if (req.uri.pathname === this.primusjs) return this.emit('static', req, res);
   if (req.uri.pathname === this.specfile) return this.emit('spec', req, res);
   if (!this.primus.auth) return this.emit('request', req, res, noop);