• Analyze the issue and understand the problem
• Identify affected files and code samples
• Update all code samples across different versions (8.0, 6.0, 3.1, CorsExample4)
• Update the main documentation (cors.md)
• Update the include files (cors56.md, cors7.md)
• Verify all changes are consistent
• Check for any other references that need updating
• Validate that correct wildcards remain (in AllowAnyHeader, WithExposedHeaders examples)

Summary

Issue: The documentation incorrectly showed using "https://*.example.com" with SetIsOriginAllowedToAllowWildcardSubdomains(). The correct usage requires the base origin without the wildcard (e.g., "https://example.com"). The method itself handles the wildcard subdomain matching internally.

Root Cause: When SetIsOriginAllowedToAllowWildcardSubdomains() is called, it internally adds logic to match wildcard subdomains. Passing "https://*.example.com" to WithOrigins() would attempt to literally match an origin with an asterisk in it, which is not valid. Instead, you pass the base domain "https://example.com" and the method handles matching "https://subdomain.example.com", "https://api.example.com", etc.

Changes Made

Code Samples (4 files):

1. aspnetcore/security/cors/8.0sample/Cors/Web2API/Program.cs - Updated snippet_aa
2. aspnetcore/security/cors/6.0sample/Cors/WebAPI/Program.cs - Updated snippet_aa
3. aspnetcore/security/cors/3.1sample/Cors/WebAPI/StartupAllowSubdomain.cs - Updated snippet
4. aspnetcore/security/cors/sample/CorsExample4/Startup.cs - Updated AllowSubdomain policy

All changed from "https://*.example.com" to "https://example.com" when used with SetIsOriginAllowedToAllowWildcardSubdomains().

Documentation (3 files):

1. aspnetcore/security/cors.md - Added clarifying paragraph and updated ms.date to 09/29/2025
2. aspnetcore/security/cors/includes/cors56.md - Added clarifying paragraph in 2 sections (for 3.1 and 6.0 versions)
3. aspnetcore/security/cors/includes/cors7.md - Added clarifying paragraph

Added explanatory text: "In the preceding code, SetIsOriginAllowedToAllowWildcardSubdomains is called with the base origin "https://example.com". This configuration allows CORS requests from any subdomain of example.com, such as https://subdomain.example.com or https://api.example.com. The wildcard matching is handled by the method, so the origin should be specified without the * wildcard character."

Validation:

• ✅ All code samples using SetIsOriginAllowedToAllowWildcardSubdomains() now use base origins without wildcards
• ✅ Code samples NOT using SetIsOriginAllowedToAllowWildcardSubdomains() (e.g., with AllowAnyHeader(), WithExposedHeaders()) correctly retain the wildcard pattern "https://*.example.com"
• ✅ Documentation clearly explains the correct usage pattern
• ✅ All affected versions (3.1, 6.0, 8.0+) have been updated consistently

💬 Share your feedback on Copilot coding agent for the chance to win a $200 gift card! Click here to start the survey.

Internal previews