Fix CORS wildcard subdomain documentation and code samples

Co-authored-by: tdykstra <[email protected]>

Author: Copilot

aspnetcore/security/cors.md

@@ -1,10 +1,11 @@
 ---
 title: Enable Cross-Origin Requests (CORS) in ASP.NET Core
+ai-usage: ai-assisted
 author: tdykstra
 description: Learn how CORS as a standard for allowing or rejecting cross-origin requests in an ASP.NET Core app.
 ms.author: tdykstra
 ms.custom: mvc
-ms.date: 09/29/2025
+ms.date: 11/10/2025
 uid: security/cors
 ---
 # Enable Cross-Origin Requests (CORS) in ASP.NET Core
@@ -211,7 +212,7 @@ This section describes the various options that can be set in a CORS policy:
 
 [!code-csharp[](~/security/cors/8.0sample/Cors/Web2API/Program.cs?name=snippet_aa)]
 
-In the preceding code, `SetIsOriginAllowedToAllowWildcardSubdomains` is called with the base origin `"https://example.com"`. This configuration allows CORS requests from any subdomain of `example.com`, such as `https://subdomain.example.com` or `https://api.example.com`. The wildcard matching is handled by the method, so the origin should be specified without the `*` wildcard character.
+In the preceding code, `SetIsOriginAllowedToAllowWildcardSubdomains` is called with the wildcard origin `"https://*.example.com"`. This configuration allows CORS requests from any subdomain of `example.com`, such as `https://subdomain.example.com` or `https://api.example.com`. The `*` wildcard character must be included in the origin to enable wildcard subdomain matching.
 
 ### Set the allowed HTTP methods
 

aspnetcore/security/cors/3.1sample/Cors/WebAPI/StartupAllowSubdomain.cs

@@ -27,7 +27,7 @@ public void ConfigureServices(IServiceCollection services)
                 options.AddPolicy("MyAllowSubdomainPolicy",
                     policy =>
                     {
-                        policy.WithOrigins("https://example.com")
+                        policy.WithOrigins("https://*.example.com")
                             .SetIsOriginAllowedToAllowWildcardSubdomains();
                     });
                 #endregion

aspnetcore/security/cors/6.0sample/Cors/WebAPI/Program.cs

@@ -259,7 +259,7 @@
     options.AddPolicy(name: MyAllowSpecificOrigins,
         policy =>
         {
-            policy.WithOrigins("https://example.com")
+            policy.WithOrigins("https://*.example.com")
                 .SetIsOriginAllowedToAllowWildcardSubdomains();
         });
 });

aspnetcore/security/cors/8.0sample/Cors/Web2API/Program.cs

@@ -261,7 +261,7 @@
     options.AddPolicy(name: MyAllowSpecificOrigins,
         policy =>
         {
-            policy.WithOrigins("https://example.com")
+            policy.WithOrigins("https://*.example.com")
                 .SetIsOriginAllowedToAllowWildcardSubdomains();
         });
 });

aspnetcore/security/cors/includes/cors56.md

@@ -206,7 +206,7 @@ This section describes the various options that can be set in a CORS policy:
 
 [!code-csharp[](~/security/cors/6.0sample/Cors/WebAPI/Program.cs?name=snippet_aa)]
 
-In the preceding code, `SetIsOriginAllowedToAllowWildcardSubdomains` is called with the base origin `"https://example.com"`. This configuration allows CORS requests from any subdomain of `example.com`, such as `https://subdomain.example.com` or `https://api.example.com`. The wildcard matching is handled by the method, so the origin should be specified without the `*` wildcard character.
+In the preceding code, `SetIsOriginAllowedToAllowWildcardSubdomains` is called with the wildcard origin `"https://*.example.com"`. This configuration allows CORS requests from any subdomain of `example.com`, such as `https://subdomain.example.com` or `https://api.example.com`. The `*` wildcard character must be included in the origin to enable wildcard subdomain matching.
 
 ### Set the allowed HTTP methods
 
@@ -823,7 +823,7 @@ This section describes the various options that can be set in a CORS policy:
 
 [!code-csharp[](~/security/cors/3.1sample/Cors/WebAPI/StartupAllowSubdomain.cs?name=snippet)]
 
-In the preceding code, `SetIsOriginAllowedToAllowWildcardSubdomains` is called with the base origin `"https://example.com"`. This configuration allows CORS requests from any subdomain of `example.com`, such as `https://subdomain.example.com` or `https://api.example.com`. The wildcard matching is handled by the method, so the origin should be specified without the `*` wildcard character.
+In the preceding code, `SetIsOriginAllowedToAllowWildcardSubdomains` is called with the wildcard origin `"https://*.example.com"`. This configuration allows CORS requests from any subdomain of `example.com`, such as `https://subdomain.example.com` or `https://api.example.com`. The `*` wildcard character must be included in the origin to enable wildcard subdomain matching.
 
 ### Set the allowed HTTP methods
 

aspnetcore/security/cors/includes/cors7.md

@@ -207,7 +207,7 @@ This section describes the various options that can be set in a CORS policy:
 
 [!code-csharp[](~/security/cors/8.0sample/Cors/Web2API/Program.cs?name=snippet_aa)]
 
-In the preceding code, `SetIsOriginAllowedToAllowWildcardSubdomains` is called with the base origin `"https://example.com"`. This configuration allows CORS requests from any subdomain of `example.com`, such as `https://subdomain.example.com` or `https://api.example.com`. The wildcard matching is handled by the method, so the origin should be specified without the `*` wildcard character.
+In the preceding code, `SetIsOriginAllowedToAllowWildcardSubdomains` is called with the wildcard origin `"https://*.example.com"`. This configuration allows CORS requests from any subdomain of `example.com`, such as `https://subdomain.example.com` or `https://api.example.com`. The `*` wildcard character must be included in the origin to enable wildcard subdomain matching.
 
 ### Set the allowed HTTP methods
 

aspnetcore/security/cors/sample/CorsExample4/Startup.cs

@@ -100,7 +100,7 @@ public void ConfigureServices(IServiceCollection services)
                 options.AddPolicy("AllowSubdomain",
                     policy =>
                     {
-                        policy.WithOrigins("https://example.com")
+                        policy.WithOrigins("https://*.example.com")
                             .SetIsOriginAllowedToAllowWildcardSubdomains();
                     });
                 // END11