[WIP] SetIsOriginAllowedToAllowWildcardSubdomains requires base origin instead of wildcard

aspnetcore/security/cors.md

@@ -4,7 +4,7 @@ author: tdykstra
 description: Learn how CORS as a standard for allowing or rejecting cross-origin requests in an ASP.NET Core app.
 ms.author: tdykstra
 ms.custom: mvc
-ms.date: 9/02/2024
+ms.date: 09/29/2025
 uid: security/cors
 ---
 # Enable Cross-Origin Requests (CORS) in ASP.NET Core
@@ -211,6 +211,8 @@ This section describes the various options that can be set in a CORS policy:
 
 [!code-csharp[](~/security/cors/8.0sample/Cors/Web2API/Program.cs?name=snippet_aa)]
 
+In the preceding code, `SetIsOriginAllowedToAllowWildcardSubdomains` is called with the base origin `"https://example.com"`. This configuration allows CORS requests from any subdomain of `example.com`, such as `https://subdomain.example.com` or `https://api.example.com`. The wildcard matching is handled by the method, so the origin should be specified without the `*` wildcard character.
+
 ### Set the allowed HTTP methods
 
 <xref:Microsoft.AspNetCore.Cors.Infrastructure.CorsPolicyBuilder.AllowAnyMethod%2A>:

aspnetcore/security/cors/3.1sample/Cors/WebAPI/StartupAllowSubdomain.cs

@@ -27,7 +27,7 @@ public void ConfigureServices(IServiceCollection services)
                 options.AddPolicy("MyAllowSubdomainPolicy",
                     policy =>
                     {
-                        policy.WithOrigins("https://*.example.com")
+                        policy.WithOrigins("https://example.com")
                             .SetIsOriginAllowedToAllowWildcardSubdomains();
                     });
                 #endregion

aspnetcore/security/cors/6.0sample/Cors/WebAPI/Program.cs

@@ -259,7 +259,7 @@
     options.AddPolicy(name: MyAllowSpecificOrigins,
         policy =>
         {
-            policy.WithOrigins("https://*.example.com")
+            policy.WithOrigins("https://example.com")
                 .SetIsOriginAllowedToAllowWildcardSubdomains();
         });
 });

aspnetcore/security/cors/8.0sample/Cors/Web2API/Program.cs

@@ -261,7 +261,7 @@
     options.AddPolicy(name: MyAllowSpecificOrigins,
         policy =>
         {
-            policy.WithOrigins("https://*.example.com")
+            policy.WithOrigins("https://example.com")
                 .SetIsOriginAllowedToAllowWildcardSubdomains();
         });
 });

aspnetcore/security/cors/includes/cors56.md

@@ -206,6 +206,8 @@ This section describes the various options that can be set in a CORS policy:
 
 [!code-csharp[](~/security/cors/6.0sample/Cors/WebAPI/Program.cs?name=snippet_aa)]
 
+In the preceding code, `SetIsOriginAllowedToAllowWildcardSubdomains` is called with the base origin `"https://example.com"`. This configuration allows CORS requests from any subdomain of `example.com`, such as `https://subdomain.example.com` or `https://api.example.com`. The wildcard matching is handled by the method, so the origin should be specified without the `*` wildcard character.
+
 ### Set the allowed HTTP methods
 
 <xref:Microsoft.AspNetCore.Cors.Infrastructure.CorsPolicyBuilder.AllowAnyMethod%2A>:
@@ -821,6 +823,8 @@ This section describes the various options that can be set in a CORS policy:
 
 [!code-csharp[](~/security/cors/3.1sample/Cors/WebAPI/StartupAllowSubdomain.cs?name=snippet)]
 
+In the preceding code, `SetIsOriginAllowedToAllowWildcardSubdomains` is called with the base origin `"https://example.com"`. This configuration allows CORS requests from any subdomain of `example.com`, such as `https://subdomain.example.com` or `https://api.example.com`. The wildcard matching is handled by the method, so the origin should be specified without the `*` wildcard character.
+
 ### Set the allowed HTTP methods
 
 <xref:Microsoft.AspNetCore.Cors.Infrastructure.CorsPolicyBuilder.AllowAnyMethod%2A>:

aspnetcore/security/cors/includes/cors7.md

@@ -207,6 +207,8 @@ This section describes the various options that can be set in a CORS policy:
 
 [!code-csharp[](~/security/cors/8.0sample/Cors/Web2API/Program.cs?name=snippet_aa)]
 
+In the preceding code, `SetIsOriginAllowedToAllowWildcardSubdomains` is called with the base origin `"https://example.com"`. This configuration allows CORS requests from any subdomain of `example.com`, such as `https://subdomain.example.com` or `https://api.example.com`. The wildcard matching is handled by the method, so the origin should be specified without the `*` wildcard character.
+
 ### Set the allowed HTTP methods
 
 <xref:Microsoft.AspNetCore.Cors.Infrastructure.CorsPolicyBuilder.AllowAnyMethod%2A>:

aspnetcore/security/cors/sample/CorsExample4/Startup.cs

@@ -100,7 +100,7 @@ public void ConfigureServices(IServiceCollection services)
                 options.AddPolicy("AllowSubdomain",
                     policy =>
                     {
-                        policy.WithOrigins("https://*.example.com")
+                        policy.WithOrigins("https://example.com")
                             .SetIsOriginAllowedToAllowWildcardSubdomains();
                     });
                 // END11