diff --git a/arkindex/documents/apps.py b/arkindex/documents/apps.py
index bcac7a32f5ebb467607b5047e8eb2b3c5ff6e9c5..3c13922569f129cbbf2d79fe2602cabfeb367459 100644
--- a/arkindex/documents/apps.py
+++ b/arkindex/documents/apps.py
@@ -5,4 +5,5 @@ class DocumentsConfig(AppConfig):
     name = 'arkindex.documents'
 
     def ready(self):
+        from arkindex.documents import signals  # noqa: F401
         from arkindex.project import checks  # noqa: F401
diff --git a/arkindex/documents/signals.py b/arkindex/documents/signals.py
new file mode 100644
index 0000000000000000000000000000000000000000..287f29546240feff4f67eb97353bf40976596fbf
--- /dev/null
+++ b/arkindex/documents/signals.py
@@ -0,0 +1,17 @@
+from corsheaders.signals import check_request_enabled
+
+# List of endpoint open to any cross origin request
+OPEN_CORS_API = (
+    ('api', 'folder-manifest'),
+    ('api', 'element-annotation-list'),
+)
+
+
+def cors_allow_any_origin(sender, request, **kwargs):
+    route_match = request.resolver_match
+    if route_match is None:
+        return False
+    return (route_match.namespace, route_match.url_name) in OPEN_CORS_API
+
+
+check_request_enabled.connect(cors_allow_any_origin)
diff --git a/arkindex/documents/tests/test_open_cors.py b/arkindex/documents/tests/test_open_cors.py
new file mode 100644
index 0000000000000000000000000000000000000000..aee1936dbcb31dcccf1b1bd77723ee48982d3790
--- /dev/null
+++ b/arkindex/documents/tests/test_open_cors.py
@@ -0,0 +1,26 @@
+from django.urls import reverse
+
+from arkindex.documents.models import Element
+from arkindex.project.tests import FixtureAPITestCase
+
+
+class TestOpenCors(FixtureAPITestCase):
+
+    @classmethod
+    def setUpTestData(cls):
+        super().setUpTestData()
+        cls.vol = Element.objects.get(name='Volume 1')
+
+    def test_cors_open_endpoint(self):
+        response = self.client.get(
+            reverse('api:folder-manifest', kwargs={'pk': self.vol.id}),
+            HTTP_ORIGIN="http://anywhere.net",
+        )
+        self.assertEqual(response.headers.get('Access-Control-Allow-Origin'), 'http://anywhere.net')
+
+    def test_cors_closed_endpoint(self):
+        response = self.client.get(
+            reverse('api:element-retrieve', kwargs={'pk': self.vol.id}),
+            HTTP_ORIGIN="http://anywhere.net",
+        )
+        self.assertFalse('Access-Control-Allow-Origin' in response.headers.keys())