diff --git a/internal/daemon/controller/cors_test.go b/internal/daemon/controller/cors_test.go
index 63d8543084..9261d2a1b2 100644
--- a/internal/daemon/controller/cors_test.go
+++ b/internal/daemon/controller/cors_test.go
@@ -76,6 +76,15 @@ func TestHandler_CORS(t *testing.T) {
 	if err != nil {
 		t.Fatal(err)
 	}
+
+	var wildcardListenerNum int
+	for listenerNum, listener := range cfg.Listeners {
+		if len(listener.CorsAllowedOrigins) == 1 && listener.CorsAllowedOrigins[0] == "*" {
+			wildcardListenerNum = listenerNum
+			break
+		}
+	}
+
 	tc := NewTestController(t, &TestControllerOpts{
 		Config:                       cfg,
 		DisableAuthorizationFailures: true,
@@ -256,7 +265,11 @@ func TestHandler_CORS(t *testing.T) {
 
 			// If origin was set and we expect it to be successful, run some more checks
 			if c.origin != "" && c.code == http.StatusOK && c.listenerNum > 1 {
-				assert.Equal(t, c.origin, resp.HttpResponse().Header.Get("Access-Control-Allow-Origin"))
+				expOrigin := c.origin
+				if c.listenerNum == wildcardListenerNum {
+					expOrigin = "*"
+				}
+				assert.Equal(t, expOrigin, resp.HttpResponse().Header.Get("Access-Control-Allow-Origin"))
 				assert.Equal(t, "Origin", resp.HttpResponse().Header.Get("Vary"))
 			}
 		})
diff --git a/internal/daemon/controller/handler.go b/internal/daemon/controller/handler.go
index 7f8eed9eb5..99454054ed 100644
--- a/internal/daemon/controller/handler.go
+++ b/internal/daemon/controller/handler.go
@@ -419,6 +419,9 @@ func wrapHandlerWithCors(h http.Handler, props HandlerProperties) http.Handler {
 
 		case len(allowedOrigins) == 1 && allowedOrigins[0] == "*":
 			valid = true
+			// When allowed origins is "*" we want to return that rather than
+			// round-tripping any user-specified value
+			origin = "*"
 
 		default:
 			valid = strutil.StrListContains(allowedOrigins, origin)