OrchardCMS · Bellambharath · Mar 18, 2026 · Mar 18, 2026 · Mar 18, 2026 · Apr 3, 2026
diff --git a/src/OrchardCore.Modules/OrchardCore.Cors/Controllers/AdminController.cs b/src/OrchardCore.Modules/OrchardCore.Cors/Controllers/AdminController.cs
@@ -147,5 +147,7 @@ public async Task<ActionResult> IndexPOST()
     }
 
     private static bool IsAnyOriginAllowed(CorsPolicyViewModel corsPolicyViewModel)
-        => corsPolicyViewModel.AllowAnyOrigin || corsPolicyViewModel.AllowedOrigins.Any(origin => origin == CorsConstants.AnyOrigin);
+      => corsPolicyViewModel.AllowAnyOrigin
+          || corsPolicyViewModel.AllowedOrigins?.Any(origin =>
+              string.Equals(origin?.Trim(), CorsConstants.AnyOrigin, StringComparison.Ordinal)) == true;
 }
diff --git a/src/OrchardCore.Modules/OrchardCore.Cors/Services/CorsOptionsConfiguration.cs b/src/OrchardCore.Modules/OrchardCore.Cors/Services/CorsOptionsConfiguration.cs
@@ -1,6 +1,7 @@
 using Microsoft.AspNetCore.Cors.Infrastructure;
 using Microsoft.Extensions.Logging;
 using Microsoft.Extensions.Options;
+using CorsConstants = Microsoft.AspNetCore.Cors.Infrastructure.CorsConstants;
 
 namespace OrchardCore.Cors.Services;
 
@@ -16,71 +17,77 @@ public CorsOptionsConfiguration(CorsService corsService, ILogger<CorsOptionsConf
     }
 
     public void Configure(CorsOptions options)
-    {
-        var corsSettings = _corsService.GetSettingsAsync().GetAwaiter().GetResult();
-        if (corsSettings?.Policies == null || !corsSettings.Policies.Any())
-        {
-            return;
-        }
-
-        foreach (var corsPolicy in corsSettings.Policies)
-        {
-            if (corsPolicy.AllowCredentials && corsPolicy.AllowAnyOrigin)
-            {
-                _logger.LogWarning("Using AllowCredentials and AllowAnyOrigin at the same time is considered a security risk, the {PolicyName} policy will not be loaded.", corsPolicy.Name);
-                continue;
-            }
-
-            options.AddPolicy(corsPolicy.Name, configurePolicy =>
-            {
-                if (corsPolicy.AllowAnyHeader)
-                {
-                    configurePolicy.AllowAnyHeader();
-                }
-                else
-                {
-                    configurePolicy.WithHeaders(corsPolicy.AllowedHeaders);
-                }
+  {
+      var corsSettings = _corsService.GetSettingsAsync().GetAwaiter().GetResult();
+      if (corsSettings?.Policies == null || !corsSettings.Policies.Any())
+      {
+          return;
+      }
 
-                if (corsPolicy.AllowAnyMethod)
-                {
-                    configurePolicy.AllowAnyMethod();
-                }
-                else
-                {
-                    configurePolicy.WithMethods(corsPolicy.AllowedMethods);
-                }
+      foreach (var corsPolicy in corsSettings.Policies)
+      {
+          var allowAnyOrigin = corsPolicy.AllowAnyOrigin
+              || corsPolicy.AllowedOrigins?.Any(origin =>
+                  string.Equals(origin?.Trim(), CorsConstants.AnyOrigin, StringComparison.Ordinal)) == true;
 
-                if (corsPolicy.AllowAnyOrigin)
-                {
-                    configurePolicy.AllowAnyOrigin();
-                }
-                else
-                {
-                    configurePolicy.WithOrigins(corsPolicy.AllowedOrigins);
-                }
+          if (corsPolicy.AllowCredentials && allowAnyOrigin)
+          {
+              _logger.LogWarning(
+                  "Using AllowCredentials and AllowAnyOrigin at the same time is considered a security risk, the {PolicyName} policy will not be loaded.",
-                  "Using AllowCredentials and AllowAnyOrigin at the same time is considered a security risk, the {PolicyName} policy will not be loaded.",
+                  "Using AllowCredentials with any origin (including '*') is considered a security risk, the {PolicyName} policy will not be loaded.",
-                  "Using AllowCredentials and AllowAnyOrigin at the same time is considered a security risk, the {PolicyName} policy will not be loaded.",
+                  "Using AllowCredentials with any origin (including '*') is considered a security risk, the {PolicyName} policy will not be loaded.",
+                  corsPolicy.Name);
+              continue;
+          }
 
-                if (corsPolicy.AllowCredentials)
-                {
-                    configurePolicy.AllowCredentials();
-                }
-                else
-                {
-                    configurePolicy.DisallowCredentials();
-                }
+          options.AddPolicy(corsPolicy.Name, configurePolicy =>
+          {
+              if (corsPolicy.AllowAnyHeader)
+              {
+                  configurePolicy.AllowAnyHeader();
+              }
+              else
+              {
+                  configurePolicy.WithHeaders(corsPolicy.AllowedHeaders);
+              }
+
+              if (corsPolicy.AllowAnyMethod)
+              {
+                  configurePolicy.AllowAnyMethod();
+              }
+              else
+              {
+                  configurePolicy.WithMethods(corsPolicy.AllowedMethods);
+              }
+
+              if (allowAnyOrigin)
+              {
+                  configurePolicy.AllowAnyOrigin();
+              }
+              else
+              {
+                  configurePolicy.WithOrigins(corsPolicy.AllowedOrigins);
+              }
+
+              if (corsPolicy.AllowCredentials)
+              {
+                  configurePolicy.AllowCredentials();
+              }
+              else
+              {
+                  configurePolicy.DisallowCredentials();
+              }
+
+              if (corsPolicy.ExposedHeaders?.Length > 0)
+              {
+                  configurePolicy.WithExposedHeaders(corsPolicy.ExposedHeaders);
+              }
+          });
+
+          if (corsPolicy.IsDefaultPolicy)
+          {
+              options.DefaultPolicyName = corsPolicy.Name;
+          }
+      }
 
-                if (corsPolicy.ExposedHeaders?.Length > 0)
-                {
-                    configurePolicy.WithExposedHeaders(corsPolicy.ExposedHeaders);
-                }
-            });
-
-            if (corsPolicy.IsDefaultPolicy)
-            {
-                options.DefaultPolicyName = corsPolicy.Name;
-            }
-        }
-
-        options.DefaultPolicyName ??= corsSettings.Policies.FirstOrDefault()?.Name;
-    }
+      options.DefaultPolicyName ??= corsSettings.Policies.FirstOrDefault()?.Name;
+  }
 }