diff --git a/httpsso/handler.go b/httpsso/handler.go
index 26bb143db8325665eebb5983e6e6aa74633ae121..93f37302ad847177c7a0df12a6f112d3347825fd 100644
--- a/httpsso/handler.go
+++ b/httpsso/handler.go
@@ -4,6 +4,7 @@ import (
 	"crypto/rand"
 	"encoding/gob"
 	"encoding/hex"
+	"fmt"
 	"io"
 	"log"
 	"net/http"
@@ -36,6 +37,7 @@ type SSOWrapper struct {
 	sessionAuthKey []byte
 	sessionEncKey  []byte
 	serverURL      string
+	serverOrigin   string
 }
 
 // NewSSOWrapper returns a new SSOWrapper that will authenticate users
@@ -49,6 +51,7 @@ func NewSSOWrapper(serverURL string, pkey []byte, domain string, sessionAuthKey,
 	return &SSOWrapper{
 		v:              v,
 		serverURL:      serverURL,
+		serverOrigin:   originFromURL(serverURL),
 		sessionAuthKey: sessionAuthKey,
 		sessionEncKey:  sessionEncKey,
 	}, nil
@@ -130,8 +133,10 @@ func (s *SSOWrapper) handleLogout(w http.ResponseWriter, req *http.Request, sess
 	}
 
 	w.Header().Set("Content-Type", "text/plain")
-	w.Header().Set("Access-Control-Allow-Origin", strings.TrimRight(s.serverURL, "/"))
-	w.Header().Set("Access-Control-Allow-Credentials", "true")
+	if s.serverOrigin != "" {
+		w.Header().Set("Access-Control-Allow-Origin", s.serverOrigin)
+		w.Header().Set("Access-Control-Allow-Credentials", "true")
+	}
 	io.WriteString(w, "OK")
 }
 
@@ -181,3 +186,12 @@ func makeUniqueNonce() string {
 	}
 	return hex.EncodeToString(b[:])
 }
+
+// Return the origin from a URL (stripping path and other components).
+func originFromURL(s string) string {
+	parsed, err := url.Parse(s)
+	if err != nil {
+		return ""
+	}
+	return fmt.Sprintf("%s://%s", parsed.Scheme, parsed.Host)
+}