diff --git a/CHANGELOG.md b/CHANGELOG.md
index 2f757f3..807887a 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -10,7 +10,6 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Added
 
 - Added option in Flask Talisman to add Adobe Typekit CSP rules with `allow_typekit_content_security_policy=True`
-- Allow `Access-Control-Allow-Origin` header to be set in `Talisman` with `allow_cors_origin`
 
 ### Changed
 
diff --git a/tests/test_flask_talisman.py b/tests/test_flask_talisman.py
index 60b3727..a246241 100644
--- a/tests/test_flask_talisman.py
+++ b/tests/test_flask_talisman.py
@@ -239,15 +239,3 @@ def test_talisman_force_https_permanent(self):
             "https://localhost/foobar?test=1",
             rv.headers["Location"],
         )
-
-    def test_talisman_allow_cors_origin(self):
-        Talisman(self.app, force_https=False, allow_cors_origin="https://example.com")
-
-        rv = self.test_client.get("/")
-
-        self.assertEqual(rv.status_code, 200)
-
-        self.assertIn("Access-Control-Allow-Origin", rv.headers)
-        self.assertEqual(
-            "https://example.com", rv.headers["Access-Control-Allow-Origin"]
-        )
diff --git a/tna_utilities/flask/talisman.py b/tna_utilities/flask/talisman.py
index 408e703..4cba247 100644
--- a/tna_utilities/flask/talisman.py
+++ b/tna_utilities/flask/talisman.py
@@ -76,7 +76,6 @@ def init_app(
         referrer_policy: str = "strict-origin-when-cross-origin",
         force_https: bool = True,
         force_https_permanent: bool = False,
-        allow_cors_origin: str | None = None,
     ):
         """
         Initialises the Talisman extension for the Flask app.
@@ -88,7 +87,6 @@ def init_app(
         :param referrer_policy: The Referrer-Policy header value to apply to responses. Defaults to "strict-origin-when-cross-origin".
         :param force_https: If True, forces incoming requests to be redirected to HTTPS if they are not already secure and the application is not in debug mode. Defaults to True.
         :param force_https_permanent: If True, uses a permanent redirect (HTTP 301) when forcing HTTPS, otherwise uses a temporary redirect (HTTP 302). Defaults to False.
-        :param allow_cors_origin: If specified, sets the Access-Control-Allow-Origin header to the given value. Defaults to None.
         """
 
         content_security_policy = content_security_policy or {}
@@ -112,7 +110,6 @@ def init_app(
         self.referrer_policy = referrer_policy
         self.force_https = force_https
         self.force_https_permanent = force_https_permanent
-        self.allow_cors_origin = allow_cors_origin
 
         self.app.before_request(self._force_https_redirect)
         self.app.after_request(self._apply_extra_headers)
@@ -161,8 +158,6 @@ def _apply_extra_headers(self, response):
         )
         response.headers.update(common_security_headers(**self.security_headers))
         response.headers["Referrer-Policy"] = self.referrer_policy
-        if self.allow_cors_origin:
-            response.headers["Access-Control-Allow-Origin"] = self.allow_cors_origin
         return response
 
     def _csp(