diff --git a/src/app/config.js b/src/app/config.js
index c8f1e4d0..20fb36f6 100644
--- a/src/app/config.js
+++ b/src/app/config.js
@@ -11,11 +11,24 @@ angular
 
         $qProvider.errorOnUnhandledRejections(false);
         $locationProvider.hashPrefix('');
-        jwtOptionsProvider.config({
+
+        var jwtConfig = {
             // Using Content-Language header since it is unused and is a CORS-safelisted header. This avoids pre-flights.
             authHeader: 'Content-Language',
             whiteListedDomains: appSettings.whitelistDomains
-        });
+        };
+
+        // Safari doesn't work with unconventional "Content-Language" header for CORS.
+        // See notes here: https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS
+        var userAgent = navigator.userAgent.toLowerCase();
+        if (userAgent.indexOf('safari') > -1 && userAgent.indexOf('chrome') === -1) {
+            jwtConfig = {
+                urlParam: 'access_token',
+                whiteListedDomains: appSettings.whitelistDomains
+            };
+        }
+
+        jwtOptionsProvider.config(jwtConfig);
         var refreshPromise;
         jwtInterceptorProvider.tokenGetter = /*@ngInject*/ function (options, tokenService, authService) {
             if (options.url.indexOf(appSettings.apiUri) !== 0) {