diff --git a/docs/CONFIGURATION.md b/docs/CONFIGURATION.md
index 97ed7f2a6..9261a6540 100644
--- a/docs/CONFIGURATION.md
+++ b/docs/CONFIGURATION.md
@@ -301,7 +301,7 @@ listen:
   prefix: string
 ```
 
-- `address` -
+- `address` - Hostname or IP to listen on.
 - `port` - HTTP port to listen on.
 - `prefix` - URL root for karma, you can use to if you wish to serve it from
   location other than `/`. This option is mostly useful when using karma behind
diff --git a/main.go b/main.go
index dfb2d7c4e..2558e8b2a 100644
--- a/main.go
+++ b/main.go
@@ -63,7 +63,17 @@ func setupRouter(router *gin.Engine) {
 	// so we end up with /static/static/js
 	router.Use(static.Serve(getViewURL("/static/static/js/"), staticSrcFileSystem))
 	router.Use(cors.New(cors.Config{
-		AllowAllOrigins:  true,
+		// This works different than AllowAllOrigins=true
+		// 1. AllowAllOrigins will cause responses to include
+		//    'Access-Control-Allow-Origin: *' header in all responses
+		// 2. Setting AllowOriginFunc allows to validate origin URI and if it passes
+		//    the response will include 'Access-Control-Allow-Origin: $origin'
+		//    So the logic is the same, but implementation is different.
+		// We need second behavior since setting `credentials: include` on JS
+		// fetch() will fail with 'Access-Control-Allow-Origin: *' responses
+		AllowOriginFunc: func(origin string) bool {
+			return true
+		},
 		AllowCredentials: true,
 		AllowMethods:     []string{"GET", "POST", "DELETE"},
 		AllowHeaders:     []string{"Origin"},