solo-io
diff --git a/‎api/gloo/gateway/v1/virtual_service.proto
+2-5 b/‎api/gloo/gateway/v1/virtual_service.proto
+2-5
diff --git a/‎api/gloo/gloo/v1/options.proto
+7-2 b/‎api/gloo/gloo/v1/options.proto
+7-2
diff --git a/‎api/gloo/gloo/v1/options/cors/cors.proto
+39 b/‎api/gloo/gloo/v1/options/cors/cors.proto
+39
diff --git a/‎pkg/api/gateway.solo.io/v1/virtual_service.pb.go
+2-5 b/‎pkg/api/gateway.solo.io/v1/virtual_service.pb.go
+2-5
diff --git a/‎pkg/api/gloo.solo.io/v1/options.pb.clone.go
+6 b/‎pkg/api/gloo.solo.io/v1/options.pb.clone.go
+6
diff --git a/‎pkg/api/gloo.solo.io/v1/options.pb.equal.go
+10 b/‎pkg/api/gloo.solo.io/v1/options.pb.equal.go
+10
@@ -113,11 +113,8 @@ import "github.com/solo-io/solo-apis/api/gloo/gloo/v1/core/matchers/matchers.pro
 message VirtualServiceSpec {
 
 
-    // The VirtualHost contains the
-    // The list of HTTP routes define routing actions to be taken
-    // for incoming HTTP requests whose host header matches
-    // this virtual host. If the request matches more than one route in the list, the first route matched will be selected.
-    // If the list of routes is empty, the virtual host will be ignored by Gloo.
+    // The VirtualHost contains configuration for serving a list of routes for a set of domains along with options for
+    // configuring traffic
     VirtualHost virtual_host = 1;
 
     // If provided, the Gateway will serve TLS/SSL traffic for this set of routes
 
@@ -274,7 +274,8 @@ message VirtualHostOptions {
     headers.options.gloo.solo.io.HeaderManipulation header_manipulation = 2;
     // Defines a CORS policy for the virtual host
     // If a CORS policy is also defined on the route matched by the request, the route policy
-    // overrides the virtual host policy for any configured field.
+    // overrides the virtual host policy for any configured field unless CorsMergeSettings are specified that define an
+    // alternate behavior.
     cors.options.gloo.solo.io.CorsPolicy cors = 3;
     // Transformations to apply. Note: this field is superseded by `staged_transformations`.
     // If `staged_transformations.regular` is set, this field will be ignored.
@@ -384,6 +385,9 @@ message VirtualHostOptions {
     // Enterprise-only: External Processing filter settings for the virtual host. This can be used to
     // override certain HttpListenerOptions settings, and can be overridden by RouteOptions settings.
     extproc.options.gloo.solo.io.RouteSettings ext_proc = 30;
+
+    // Settings for determining merge strategy for CORS settings when present at both Route and VH level
+    cors.options.gloo.solo.io.CorsPolicyMergeSettings cors_policy_merge_settings = 20;
 }
 
 // Optional, feature-specific configuration that lives on routes.
@@ -441,7 +445,8 @@ message RouteOptions {
     // If true and there is a host rewrite, appends the x-forwarded-host header to requests.
     google.protobuf.BoolValue append_x_forwarded_host = 146;
     // Defines a CORS policy for the route
-    // If a CORS policy is also defined on the route's virtual host any fields set here override the virtual host configuration 
+    // If a CORS policy is defined on both the route and the virtual host, the merge behavior for these policies is
+    // determined by the CorsPolicyMergeSettings defined on the VirtualHost.
     cors.options.gloo.solo.io.CorsPolicy cors = 11;
     // For routes served by a hashing load balancer, this defines the input to the hash key
     // Gloo configures Envoy with the first available RouteActionHashConfig among the following ordered list of providers:
 
@@ -39,4 +39,43 @@ message CorsPolicy {
     // Optional, only applies to route-specific CORS Policies, defaults to false.
     // If set, the CORS Policy (specified on the virtual host) will be disabled for this route.
     bool disable_for_route = 8;
+}
+
+// Settings for determining how CORS settings are merged when present on both VirtualHost and Route
+// This may be useful if different teams/personas are responsible for managing VirtualService and Route resources and policies
+// on VirtualServices set by one team or persona should be enforced or inherited on Routes
+message CorsPolicyMergeSettings {
+    enum MergeStrategy{
+        // Follow the default Envoy behavior, which is for Route settings to override VH settings if non-nil
+        DEFAULT = 0;
+        // When a setting is present on both VH and Route CORS policy, merge by concatenating for list fields and by
+        // ORing for boolean fields
+        UNION = 1;
+
+        // Eventually we may want to add additional mergeStrategies
+
+        // When a setting is present on both VH and Route CORS policy, merge by taking only values present in both for
+        // list fields and by ANDing for boolean fields
+        // INTERSECTION = 2;
+
+        // When a setting is present on both VH and Route CORS policy, use the Route-level field
+        // This is Envoy's underlying behavior, so effectively the same as default
+        // ROUTE = 3;
+
+        // When a setting is present on both VH and Route CORS policy, use the VH-level field
+        // VH = 4;
+    }
+
+    // Eventually we may want to allow each CORS setting to be configured, so we reserve fields for them
+
+    // mimicking the CorsPolicy message
+    // mergeStrategy allow_origin = 1;
+    // mergeStrategy allow_origin_regex = 2;
+    // mergeStrategy allow_methods = 3;
+    // mergeStrategy allow_headers = 4;
+
+    MergeStrategy expose_headers = 5;
+
+    // mergeStrategy max_age = 6;
+    // mergeStrategy allow_credentials = 7;
 }