Description
The CORS documentation regarding wildcard subdomains using SetIsOriginAllowedToAllowWildcardSubdomains incorrectly states that the wildcard character * should be omitted from the domains passed to WithOrigin (e.g. "https://example.com"). Doing so causes no subdomains to be matched, and the CORS middleware does not include the required response header.
When including * in the values passed to WithOrigin (e.g. "https://*.example.com"), subdomains are matched and the CORS middleware correctly includes the required response header.
Page URL
https://learn.microsoft.com/en-us/aspnet/core/security/cors?view=aspnetcore-8.0
Content source URL
https://github.com/dotnet/AspNetCore.Docs/blob/main/aspnetcore/security/cors.md
Document ID
d3f332c4-4c60-039e-0e1e-bc6b11831f87
Platform Id
fa70aa3f-a2de-be8b-4255-e778a6edb8ff
Article author
@tdykstra
Metadata
- ID: 59bca5db-1196-2a8b-a0d8-4e89b2382288
- PlatformId: fa70aa3f-a2de-be8b-4255-e778a6edb8ff
- Service: aspnet-core
- Sub-service: security
Related Issues
Associated WorkItem - 537420
Description
The CORS documentation regarding wildcard subdomains using
SetIsOriginAllowedToAllowWildcardSubdomainsincorrectly states that the wildcard character * should be omitted from the domains passed toWithOrigin(e.g."https://example.com"). Doing so causes no subdomains to be matched, and the CORS middleware does not include the required response header.When including * in the values passed to
WithOrigin(e.g."https://*.example.com"), subdomains are matched and the CORS middleware correctly includes the required response header.Page URL
https://learn.microsoft.com/en-us/aspnet/core/security/cors?view=aspnetcore-8.0
Content source URL
https://github.com/dotnet/AspNetCore.Docs/blob/main/aspnetcore/security/cors.md
Document ID
d3f332c4-4c60-039e-0e1e-bc6b11831f87
Platform Id
fa70aa3f-a2de-be8b-4255-e778a6edb8ff
Article author
@tdykstra
Metadata
Related Issues
Associated WorkItem - 537420