From e3c30defbeb79d8cfbaa3dbc0c5df1c66cc9ebd8 Mon Sep 17 00:00:00 2001
From: Randall Morey <randall@hashicorp.com>
Date: Thu, 18 Mar 2021 11:48:37 -0400
Subject: [PATCH] docs: clarify CORS configuration options (#1011)

* docs: clarify CORS configuration options

* docs: use double quotes
---
 website/content/docs/configuration/controller.mdx   |  2 +-
 website/content/docs/configuration/listener/tcp.mdx | 10 ++++++++++
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/website/content/docs/configuration/controller.mdx b/website/content/docs/configuration/controller.mdx
index 86b0ed502f..94d622de91 100644
--- a/website/content/docs/configuration/controller.mdx
+++ b/website/content/docs/configuration/controller.mdx
@@ -136,7 +136,7 @@ listener "tcp" {
   # Uncomment to enable CORS for the Admin UI. Be sure to set the allowed origin(s)
   # to appropriate values.
   #cors_enabled = true
-  #cors_allowed_origins = ["yourcorp.yourdomain.com"]
+  #cors_allowed_origins = ["https://yourcorp.yourdomain.com", "serve://boundary"]
 }
 
 # Data-plane listener configuration block (used for worker coordination)
diff --git a/website/content/docs/configuration/listener/tcp.mdx b/website/content/docs/configuration/listener/tcp.mdx
index b0869c4071..d61bb488be 100644
--- a/website/content/docs/configuration/listener/tcp.mdx
+++ b/website/content/docs/configuration/listener/tcp.mdx
@@ -61,6 +61,16 @@ allowed.
   request duration allowed before Boundary cancels the request. This overrides
   `default_max_request_duration` for this listener.
 
+- `cors_enabled` `(boolean: true)` - Specifies if CORS should be enabled, which
+  allows Boundary to support external browser-based clients (not including
+  admin UI), such as Boundary Desktop.
+
+- `cors_allowed_origins` `(array(string): ["serve://boundary"])` - an array of
+  allowed CORS origins. Origins must include protocol, host, and port (if port
+  is different than the default for the specified protocol).
+  To allow all origins, set to `['*']`. By default, Boundary Desktop's origin
+  `serve://boundary` is allowed.
+
 ### TLS
 
 ~> All `tls` parameters are valid only for the `api` listener. `cluster` and