diff --git a/index.js b/index.js
index 69ccc85..41945b8 100644
--- a/index.js
+++ b/index.js
@@ -58,8 +58,6 @@ module.exports = function(options) {
     // https://github.com/rs/cors/issues/10
     ctx.vary('Origin');
 
-    if (!requestOrigin) return await next();
-
     let origin;
     if (typeof options.origin === 'function') {
       origin = await options.origin(ctx);
diff --git a/test/cors.test.js b/test/cors.test.js
index 02b0613..6d0ebda 100644
--- a/test/cors.test.js
+++ b/test/cors.test.js
@@ -77,6 +77,14 @@ describe('cors.test.js', function() {
         .expect({ foo: 'bar' })
         .expect(200, done);
     });
+
+    it('should always set `Access-Control-Allow-Origin` to *, even if no Origin is passed on request', function(done) {
+      request(app.listen())
+        .get('/')
+        .expect('Access-Control-Allow-Origin', '*')
+        .expect({ foo: 'bar' })
+        .expect(200, done);
+    });
   });
 
   describe('options.secureContext=true', function() {