diff --git a/CHANGELOG.md b/CHANGELOG.md
index 6b77d9fe15..cb11bff497 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,6 +4,14 @@ Canonical reference for changes, improvements, and bugfixes for Boundary.
 
 ## Next
 
+### Bug Fixes
+
+* You can now omit `cors_enabled` to use its implicit setting of `true` when
+  specifying `cors_allowed_origins`. Previously, omitting `cors_enabled` would
+  cause an explicit `cors_allowed_origins` to be ignored, resetting this value
+  to the desktop origin only.
+  [PR](https://github.com/hashicorp/boundary/pull/1247)
+
 ## 0.2.2 (2021/05/17)
 
 ### New and Improved
diff --git a/internal/cmd/config/config.go b/internal/cmd/config/config.go
index c1d9f2007e..67e88e625a 100644
--- a/internal/cmd/config/config.go
+++ b/internal/cmd/config/config.go
@@ -345,8 +345,8 @@ func Parse(d string) (*Config, error) {
 			if listener.CorsEnabled == nil {
 				listener.CorsEnabled = new(bool)
 				*listener.CorsEnabled = true
-				listener.CorsAllowedOrigins = []string{desktopCorsOrigin}
 			}
+
 			// If not the wildcard and they haven't disabled us auto-adding
 			// origin values, add the desktop client origin
 			if *listener.CorsEnabled &&
diff --git a/internal/cmd/config/config_test.go b/internal/cmd/config/config_test.go
index 8a6062a4c5..bbc2156bee 100644
--- a/internal/cmd/config/config_test.go
+++ b/internal/cmd/config/config_test.go
@@ -116,6 +116,34 @@ func TestDevController(t *testing.T) {
 		assert.Equal(t, []string{"*"}, l0.CorsAllowedOrigins)
 		assert.Nil(t, l0.CorsDisableDefaultAllowedOriginValues)
 
+		// Implicitly with explicit wildcard
+		conf = `
+		listener "tcp" {
+			purpose = "api"
+			cors_allowed_origins = ["*"]
+		}
+		`
+		actual, err = Parse(conf)
+		assert.NoError(t, err)
+		l0 = actual.Listeners[0]
+		assert.True(t, *l0.CorsEnabled)
+		assert.Equal(t, []string{"*"}, l0.CorsAllowedOrigins)
+		assert.Nil(t, l0.CorsDisableDefaultAllowedOriginValues)
+
+		// Implicitly with explicit non-wildcard
+		conf = `
+		listener "tcp" {
+			purpose = "api"
+			cors_allowed_origins = ["foobar"]
+		}
+		`
+		actual, err = Parse(conf)
+		assert.NoError(t, err)
+		l0 = actual.Listeners[0]
+		assert.True(t, *l0.CorsEnabled)
+		assert.Equal(t, []string{"foobar", desktopCorsOrigin}, l0.CorsAllowedOrigins)
+		assert.Nil(t, l0.CorsDisableDefaultAllowedOriginValues)
+
 		// Disabled, default behavior
 		conf = `
 		listener "tcp" {