Skip to content

Commit 7de7f61

Browse files
Copilottdykstra
andauthored
[WIP] SetIsOriginAllowedToAllowWildcardSubdomains requires base origin instead of wildcard (#36164)
* Initial plan * Fix SetIsOriginAllowedToAllowWildcardSubdomains usage in code samples Co-authored-by: tdykstra <[email protected]> * Add clarification for SetIsOriginAllowedToAllowWildcardSubdomains usage in documentation Co-authored-by: tdykstra <[email protected]> --------- Co-authored-by: copilot-swe-agent[bot] <[email protected]> Co-authored-by: tdykstra <[email protected]>
1 parent f12bf87 commit 7de7f61

File tree

7 files changed

+13
-5
lines changed

7 files changed

+13
-5
lines changed

aspnetcore/security/cors.md

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@ author: tdykstra
44
description: Learn how CORS as a standard for allowing or rejecting cross-origin requests in an ASP.NET Core app.
55
ms.author: tdykstra
66
ms.custom: mvc
7-
ms.date: 9/02/2024
7+
ms.date: 09/29/2025
88
uid: security/cors
99
---
1010
# Enable Cross-Origin Requests (CORS) in ASP.NET Core
@@ -211,6 +211,8 @@ This section describes the various options that can be set in a CORS policy:
211211

212212
[!code-csharp[](~/security/cors/8.0sample/Cors/Web2API/Program.cs?name=snippet_aa)]
213213

214+
In the preceding code, `SetIsOriginAllowedToAllowWildcardSubdomains` is called with the base origin `"https://example.com"`. This configuration allows CORS requests from any subdomain of `example.com`, such as `https://subdomain.example.com` or `https://api.example.com`. The wildcard matching is handled by the method, so the origin should be specified without the `*` wildcard character.
215+
214216
### Set the allowed HTTP methods
215217

216218
<xref:Microsoft.AspNetCore.Cors.Infrastructure.CorsPolicyBuilder.AllowAnyMethod%2A>:

aspnetcore/security/cors/3.1sample/Cors/WebAPI/StartupAllowSubdomain.cs

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -27,7 +27,7 @@ public void ConfigureServices(IServiceCollection services)
2727
options.AddPolicy("MyAllowSubdomainPolicy",
2828
policy =>
2929
{
30-
policy.WithOrigins("https://*.example.com")
30+
policy.WithOrigins("https://example.com")
3131
.SetIsOriginAllowedToAllowWildcardSubdomains();
3232
});
3333
#endregion

aspnetcore/security/cors/6.0sample/Cors/WebAPI/Program.cs

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -259,7 +259,7 @@
259259
options.AddPolicy(name: MyAllowSpecificOrigins,
260260
policy =>
261261
{
262-
policy.WithOrigins("https://*.example.com")
262+
policy.WithOrigins("https://example.com")
263263
.SetIsOriginAllowedToAllowWildcardSubdomains();
264264
});
265265
});

aspnetcore/security/cors/8.0sample/Cors/Web2API/Program.cs

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -261,7 +261,7 @@
261261
options.AddPolicy(name: MyAllowSpecificOrigins,
262262
policy =>
263263
{
264-
policy.WithOrigins("https://*.example.com")
264+
policy.WithOrigins("https://example.com")
265265
.SetIsOriginAllowedToAllowWildcardSubdomains();
266266
});
267267
});

aspnetcore/security/cors/includes/cors56.md

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -206,6 +206,8 @@ This section describes the various options that can be set in a CORS policy:
206206

207207
[!code-csharp[](~/security/cors/6.0sample/Cors/WebAPI/Program.cs?name=snippet_aa)]
208208

209+
In the preceding code, `SetIsOriginAllowedToAllowWildcardSubdomains` is called with the base origin `"https://example.com"`. This configuration allows CORS requests from any subdomain of `example.com`, such as `https://subdomain.example.com` or `https://api.example.com`. The wildcard matching is handled by the method, so the origin should be specified without the `*` wildcard character.
210+
209211
### Set the allowed HTTP methods
210212

211213
<xref:Microsoft.AspNetCore.Cors.Infrastructure.CorsPolicyBuilder.AllowAnyMethod%2A>:
@@ -821,6 +823,8 @@ This section describes the various options that can be set in a CORS policy:
821823

822824
[!code-csharp[](~/security/cors/3.1sample/Cors/WebAPI/StartupAllowSubdomain.cs?name=snippet)]
823825

826+
In the preceding code, `SetIsOriginAllowedToAllowWildcardSubdomains` is called with the base origin `"https://example.com"`. This configuration allows CORS requests from any subdomain of `example.com`, such as `https://subdomain.example.com` or `https://api.example.com`. The wildcard matching is handled by the method, so the origin should be specified without the `*` wildcard character.
827+
824828
### Set the allowed HTTP methods
825829

826830
<xref:Microsoft.AspNetCore.Cors.Infrastructure.CorsPolicyBuilder.AllowAnyMethod%2A>:

aspnetcore/security/cors/includes/cors7.md

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -207,6 +207,8 @@ This section describes the various options that can be set in a CORS policy:
207207

208208
[!code-csharp[](~/security/cors/8.0sample/Cors/Web2API/Program.cs?name=snippet_aa)]
209209

210+
In the preceding code, `SetIsOriginAllowedToAllowWildcardSubdomains` is called with the base origin `"https://example.com"`. This configuration allows CORS requests from any subdomain of `example.com`, such as `https://subdomain.example.com` or `https://api.example.com`. The wildcard matching is handled by the method, so the origin should be specified without the `*` wildcard character.
211+
210212
### Set the allowed HTTP methods
211213

212214
<xref:Microsoft.AspNetCore.Cors.Infrastructure.CorsPolicyBuilder.AllowAnyMethod%2A>:

aspnetcore/security/cors/sample/CorsExample4/Startup.cs

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -100,7 +100,7 @@ public void ConfigureServices(IServiceCollection services)
100100
options.AddPolicy("AllowSubdomain",
101101
policy =>
102102
{
103-
policy.WithOrigins("https://*.example.com")
103+
policy.WithOrigins("https://example.com")
104104
.SetIsOriginAllowedToAllowWildcardSubdomains();
105105
});
106106
// END11

0 commit comments

Comments
 (0)