From c3737cdcba719cec16cc5deb3592a1de196137e3 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Mon, 29 Sep 2025 19:01:32 +0000 Subject: [PATCH 1/3] Initial plan From 67e48ae79dfe87f81ce657bbbd8640224547cbff Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Mon, 29 Sep 2025 19:08:04 +0000 Subject: [PATCH 2/3] Fix SetIsOriginAllowedToAllowWildcardSubdomains usage in code samples Co-authored-by: tdykstra <1569635+tdykstra@users.noreply.github.com> --- .../cors/3.1sample/Cors/WebAPI/StartupAllowSubdomain.cs | 2 +- aspnetcore/security/cors/6.0sample/Cors/WebAPI/Program.cs | 2 +- aspnetcore/security/cors/8.0sample/Cors/Web2API/Program.cs | 2 +- aspnetcore/security/cors/sample/CorsExample4/Startup.cs | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/aspnetcore/security/cors/3.1sample/Cors/WebAPI/StartupAllowSubdomain.cs b/aspnetcore/security/cors/3.1sample/Cors/WebAPI/StartupAllowSubdomain.cs index 802bdb85cc81..e552c2d6cf17 100644 --- a/aspnetcore/security/cors/3.1sample/Cors/WebAPI/StartupAllowSubdomain.cs +++ b/aspnetcore/security/cors/3.1sample/Cors/WebAPI/StartupAllowSubdomain.cs @@ -27,7 +27,7 @@ public void ConfigureServices(IServiceCollection services) options.AddPolicy("MyAllowSubdomainPolicy", policy => { - policy.WithOrigins("https://*.example.com") + policy.WithOrigins("https://example.com") .SetIsOriginAllowedToAllowWildcardSubdomains(); }); #endregion diff --git a/aspnetcore/security/cors/6.0sample/Cors/WebAPI/Program.cs b/aspnetcore/security/cors/6.0sample/Cors/WebAPI/Program.cs index e809f1d456f2..afd8007d4cbd 100644 --- a/aspnetcore/security/cors/6.0sample/Cors/WebAPI/Program.cs +++ b/aspnetcore/security/cors/6.0sample/Cors/WebAPI/Program.cs @@ -259,7 +259,7 @@ options.AddPolicy(name: MyAllowSpecificOrigins, policy => { - policy.WithOrigins("https://*.example.com") + policy.WithOrigins("https://example.com") .SetIsOriginAllowedToAllowWildcardSubdomains(); }); }); diff --git a/aspnetcore/security/cors/8.0sample/Cors/Web2API/Program.cs b/aspnetcore/security/cors/8.0sample/Cors/Web2API/Program.cs index 01ad4447f691..0c7ac891ee62 100644 --- a/aspnetcore/security/cors/8.0sample/Cors/Web2API/Program.cs +++ b/aspnetcore/security/cors/8.0sample/Cors/Web2API/Program.cs @@ -261,7 +261,7 @@ options.AddPolicy(name: MyAllowSpecificOrigins, policy => { - policy.WithOrigins("https://*.example.com") + policy.WithOrigins("https://example.com") .SetIsOriginAllowedToAllowWildcardSubdomains(); }); }); diff --git a/aspnetcore/security/cors/sample/CorsExample4/Startup.cs b/aspnetcore/security/cors/sample/CorsExample4/Startup.cs index ec657bcb4b02..04cadbc80553 100644 --- a/aspnetcore/security/cors/sample/CorsExample4/Startup.cs +++ b/aspnetcore/security/cors/sample/CorsExample4/Startup.cs @@ -100,7 +100,7 @@ public void ConfigureServices(IServiceCollection services) options.AddPolicy("AllowSubdomain", policy => { - policy.WithOrigins("https://*.example.com") + policy.WithOrigins("https://example.com") .SetIsOriginAllowedToAllowWildcardSubdomains(); }); // END11 From 03b0195895e49c9dfbd2c1b28a3b98ac9534f0be Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Mon, 29 Sep 2025 19:11:28 +0000 Subject: [PATCH 3/3] Add clarification for SetIsOriginAllowedToAllowWildcardSubdomains usage in documentation Co-authored-by: tdykstra <1569635+tdykstra@users.noreply.github.com> --- aspnetcore/security/cors.md | 4 +++- aspnetcore/security/cors/includes/cors56.md | 4 ++++ aspnetcore/security/cors/includes/cors7.md | 2 ++ 3 files changed, 9 insertions(+), 1 deletion(-) diff --git a/aspnetcore/security/cors.md b/aspnetcore/security/cors.md index 271c4a5f51ed..be7931ff921b 100644 --- a/aspnetcore/security/cors.md +++ b/aspnetcore/security/cors.md @@ -4,7 +4,7 @@ author: tdykstra description: Learn how CORS as a standard for allowing or rejecting cross-origin requests in an ASP.NET Core app. ms.author: tdykstra ms.custom: mvc -ms.date: 9/02/2024 +ms.date: 09/29/2025 uid: security/cors --- # Enable Cross-Origin Requests (CORS) in ASP.NET Core @@ -211,6 +211,8 @@ This section describes the various options that can be set in a CORS policy: [!code-csharp[](~/security/cors/8.0sample/Cors/Web2API/Program.cs?name=snippet_aa)] +In the preceding code, `SetIsOriginAllowedToAllowWildcardSubdomains` is called with the base origin `"https://example.com"`. This configuration allows CORS requests from any subdomain of `example.com`, such as `https://subdomain.example.com` or `https://api.example.com`. The wildcard matching is handled by the method, so the origin should be specified without the `*` wildcard character. + ### Set the allowed HTTP methods : diff --git a/aspnetcore/security/cors/includes/cors56.md b/aspnetcore/security/cors/includes/cors56.md index d419d2e64010..20917f7c1520 100644 --- a/aspnetcore/security/cors/includes/cors56.md +++ b/aspnetcore/security/cors/includes/cors56.md @@ -206,6 +206,8 @@ This section describes the various options that can be set in a CORS policy: [!code-csharp[](~/security/cors/6.0sample/Cors/WebAPI/Program.cs?name=snippet_aa)] +In the preceding code, `SetIsOriginAllowedToAllowWildcardSubdomains` is called with the base origin `"https://example.com"`. This configuration allows CORS requests from any subdomain of `example.com`, such as `https://subdomain.example.com` or `https://api.example.com`. The wildcard matching is handled by the method, so the origin should be specified without the `*` wildcard character. + ### Set the allowed HTTP methods : @@ -821,6 +823,8 @@ This section describes the various options that can be set in a CORS policy: [!code-csharp[](~/security/cors/3.1sample/Cors/WebAPI/StartupAllowSubdomain.cs?name=snippet)] +In the preceding code, `SetIsOriginAllowedToAllowWildcardSubdomains` is called with the base origin `"https://example.com"`. This configuration allows CORS requests from any subdomain of `example.com`, such as `https://subdomain.example.com` or `https://api.example.com`. The wildcard matching is handled by the method, so the origin should be specified without the `*` wildcard character. + ### Set the allowed HTTP methods : diff --git a/aspnetcore/security/cors/includes/cors7.md b/aspnetcore/security/cors/includes/cors7.md index 299bb7e767cd..e81a91f566ea 100644 --- a/aspnetcore/security/cors/includes/cors7.md +++ b/aspnetcore/security/cors/includes/cors7.md @@ -207,6 +207,8 @@ This section describes the various options that can be set in a CORS policy: [!code-csharp[](~/security/cors/8.0sample/Cors/Web2API/Program.cs?name=snippet_aa)] +In the preceding code, `SetIsOriginAllowedToAllowWildcardSubdomains` is called with the base origin `"https://example.com"`. This configuration allows CORS requests from any subdomain of `example.com`, such as `https://subdomain.example.com` or `https://api.example.com`. The wildcard matching is handled by the method, so the origin should be specified without the `*` wildcard character. + ### Set the allowed HTTP methods :