Skip to content

[WIP] SetIsOriginAllowedToAllowWildcardSubdomains requires base origin instead of wildcard #36164

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Sep 30, 2025
Merged

[WIP] SetIsOriginAllowedToAllowWildcardSubdomains requires base origin instead of wildcard #36164

merged 3 commits into from
Sep 30, 2025

Conversation

Copilot
Copy link
Contributor

@Copilot Copilot AI commented Sep 29, 2025
edited by github-actions bot
Loading

  • Analyze the issue and understand the problem
  • Identify affected files and code samples
  • Update all code samples across different versions (8.0, 6.0, 3.1, CorsExample4)
  • Update the main documentation (cors.md)
  • Update the include files (cors56.md, cors7.md)
  • Verify all changes are consistent
  • Check for any other references that need updating
  • Validate that correct wildcards remain (in AllowAnyHeader, WithExposedHeaders examples)

Summary

Issue: The documentation incorrectly showed using "https://*.example.com" with SetIsOriginAllowedToAllowWildcardSubdomains(). The correct usage requires the base origin without the wildcard (e.g., "https://example.com"). The method itself handles the wildcard subdomain matching internally.

Root Cause: When SetIsOriginAllowedToAllowWildcardSubdomains() is called, it internally adds logic to match wildcard subdomains. Passing "https://*.example.com" to WithOrigins() would attempt to literally match an origin with an asterisk in it, which is not valid. Instead, you pass the base domain "https://example.com" and the method handles matching "https://subdomain.example.com", "https://api.example.com", etc.

Changes Made

Code Samples (4 files):

  1. aspnetcore/security/cors/8.0sample/Cors/Web2API/Program.cs - Updated snippet_aa
  2. aspnetcore/security/cors/6.0sample/Cors/WebAPI/Program.cs - Updated snippet_aa
  3. aspnetcore/security/cors/3.1sample/Cors/WebAPI/StartupAllowSubdomain.cs - Updated snippet
  4. aspnetcore/security/cors/sample/CorsExample4/Startup.cs - Updated AllowSubdomain policy

All changed from "https://*.example.com" to "https://example.com" when used with SetIsOriginAllowedToAllowWildcardSubdomains().

Documentation (3 files):

  1. aspnetcore/security/cors.md - Added clarifying paragraph and updated ms.date to 09/29/2025
  2. aspnetcore/security/cors/includes/cors56.md - Added clarifying paragraph in 2 sections (for 3.1 and 6.0 versions)
  3. aspnetcore/security/cors/includes/cors7.md - Added clarifying paragraph

Added explanatory text: "In the preceding code, SetIsOriginAllowedToAllowWildcardSubdomains is called with the base origin "https://example.com". This configuration allows CORS requests from any subdomain of example.com, such as https://subdomain.example.com or https://api.example.com. The wildcard matching is handled by the method, so the origin should be specified without the * wildcard character."

Validation:

  • ✅ All code samples using SetIsOriginAllowedToAllowWildcardSubdomains() now use base origins without wildcards
  • ✅ Code samples NOT using SetIsOriginAllowedToAllowWildcardSubdomains() (e.g., with AllowAnyHeader(), WithExposedHeaders()) correctly retain the wildcard pattern "https://*.example.com"
  • ✅ Documentation clearly explains the correct usage pattern
  • ✅ All affected versions (3.1, 6.0, 8.0+) have been updated consistently
Original prompt

This section details on the original issue you should resolve

<issue_title>SetIsOriginAllowedToAllowWildcardSubdomains requires base origin instead of wildcard</issue_title>
<issue_description>### Description

Seem that the setup here does not work for wildcard when SetIsOriginAllowedToAllowWildcardSubdomains is used.

https://learn.microsoft.com/en-us/aspnet/core/security/cors?view=aspnetcore-9.0#set-the-allowed-origins

policy.WithOrigins("https://*.example.com")

However base class will:

policy.WithOrigins("https://example.com")

https://x.com/KedziorArtur/status/1960011635512180947

Page URL

https://learn.microsoft.com/en-us/aspnet/core/security/cors?view=aspnetcore-9.0#set-the-allowed-origins

Content source URL

https://github.com/dotnet/AspNetCore.Docs/blob/main/aspnetcore/security/cors.md

Document ID

d3f332c4-4c60-039e-0e1e-bc6b11831f87

Platform Id

fa70aa3f-a2de-be8b-4255-e778a6edb8ff

Article author

@tdykstra

Metadata

  • ID: 59bca5db-1196-2a8b-a0d8-4e89b2382288
  • PlatformId: fa70aa3f-a2de-be8b-4255-e778a6edb8ff
  • Service: aspnet-core
  • Sub-service: security

Related Issues

Associated WorkItem - 486310</issue_description>

Comments on the Issue (you are @copilot in this section)

@wadepickett triage, cc @tdykstra
Fixes #35990

💬 Share your feedback on Copilot coding agent for the chance to win a $200 gift card! Click here to start the survey.

Internal previews

📄 File 🔗 Preview link
aspnetcore/security/cors.md aspnetcore/security/cors

@Copilot Copilot AI requested a review from tdykstra September 29, 2025 19:17
@wadepickett wadepickett self-requested a review September 30, 2025 18:40
wadepickett
wadepickett approved these changes Sep 30, 2025
View reviewed changes
Copy link
Contributor

@wadepickett wadepickett left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@tdykstra, this looks great with your corrections added. Approved.

@wadepickett wadepickett marked this pull request as ready for review September 30, 2025 18:44
@tdykstra tdykstra merged commit 7de7f61 into main Sep 30, 2025
4 checks passed
@tdykstra tdykstra deleted the copilot/fix-d5c564f8-8b56-4058-88be-5fd5fd4fd35c branch September 30, 2025 18:54
@dotnetrepoman dotnetrepoman bot added the mapQuest clean move label Sep 30, 2025
@dotnet-policy-service dotnet-policy-service bot removed the mapQuest clean move label Sep 30, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@wadepickett wadepickett wadepickett approved these changes

+1 more reviewer

@tdykstra tdykstra tdykstra approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@tdykstra tdykstra

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

SetIsOriginAllowedToAllowWildcardSubdomains requires base origin instead of wildcard

3 participants

@Copilot @tdykstra @wadepickett