Skip to content

Fix CORS wildcard subdomain documentation #36321

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Fix CORS wildcard subdomain documentation #36321

wants to merge 2 commits into from

Conversation

Copy link
Contributor

Copilot AI commented Nov 10, 2025
edited by github-actions bot
Loading

Fixes #36192

The documentation incorrectly stated that SetIsOriginAllowedToAllowWildcardSubdomains() should be called with origins without the * wildcard character. This caused subdomain matching to fail.

Changes

  • Code samples: Changed WithOrigins("https://example.com") to WithOrigins("https://*.example.com") in all samples using SetIsOriginAllowedToAllowWildcardSubdomains()
    • Updated 8.0, 6.0, 3.1 samples and legacy CorsExample4
  • Documentation text: Replaced "origin should be specified without the * wildcard character" with "The * wildcard character must be included in the origin to enable wildcard subdomain matching"
    • Updated cors.md and include files (cors7.md, cors56.md)
  • Metadata: Added ai-usage: ai-assisted, updated ms.date to 11/10/2025

Before (incorrect - no subdomains matched):

policy.WithOrigins("https://example.com")
    .SetIsOriginAllowedToAllowWildcardSubdomains();

After (correct - matches api.example.com, subdomain.example.com, etc.):

policy.WithOrigins("https://*.example.com")
    .SetIsOriginAllowedToAllowWildcardSubdomains();
Original prompt

This section details on the original issue you should resolve

<issue_title>CORS wildcard subdomain setup is incorrect</issue_title>
<issue_description>### Description

The CORS documentation regarding wildcard subdomains using SetIsOriginAllowedToAllowWildcardSubdomains incorrectly states that the wildcard character * should be omitted from the domains passed to WithOrigin (e.g. "https://example.com"). Doing so causes no subdomains to be matched, and the CORS middleware does not include the required response header.

When including * in the values passed to WithOrigin (e.g. "https://*.example.com"), subdomains are matched and the CORS middleware correctly includes the required response header.

Page URL

https://learn.microsoft.com/en-us/aspnet/core/security/cors?view=aspnetcore-8.0

Content source URL

https://github.com/dotnet/AspNetCore.Docs/blob/main/aspnetcore/security/cors.md

Document ID

d3f332c4-4c60-039e-0e1e-bc6b11831f87

Platform Id

fa70aa3f-a2de-be8b-4255-e778a6edb8ff

Article author

@tdykstra

Metadata

  • ID: 59bca5db-1196-2a8b-a0d8-4e89b2382288
  • PlatformId: fa70aa3f-a2de-be8b-4255-e778a6edb8ff
  • Service: aspnet-core
  • Sub-service: security

Related Issues</issue_description>

Comments on the Issue (you are @copilot in this section)

@wadepickett Thanks @bradyjerdmann. We appreciate you taking the time to let us know. We will get it fixed. @wadepickett @tdykstra

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

Internal previews

📄 File 🔗 Preview link
aspnetcore/security/cors.md aspnetcore/security/cors

@tdykstra
Fix CORS wildcard subdomain documentation and code samples
e806756 
Co-authored-by: tdykstra <1569635+tdykstra@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix CORS wildcard subdomain setup documentation Fix CORS wildcard subdomain documentation Nov 10, 2025
Copilot AI requested a review from tdykstra November 10, 2025 19:25
Copilot finished work on behalf of tdykstra November 10, 2025 19:25
@tdykstra tdykstra requested a review from wadepickett November 10, 2025 19:57
@wadepickett wadepickett marked this pull request as ready for review November 10, 2025 20:38
wadepickett
wadepickett approved these changes Nov 10, 2025
View reviewed changes
Copy link
Contributor

@wadepickett wadepickett left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@tdykstra, PR looks good. Approved.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@wadepickett wadepickett wadepickett approved these changes

+1 more reviewer

@tdykstra tdykstra tdykstra approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@tdykstra tdykstra

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

CORS wildcard subdomain setup is incorrect

3 participants

@tdykstra @wadepickett