OrchardCMS · hishamco · Nov 15, 2025 · Nov 15, 2025 · Nov 15, 2025 · Nov 20, 2025
diff --git a/src/OrchardCore.Modules/OrchardCore.Cors/Controllers/AdminController.cs b/src/OrchardCore.Modules/OrchardCore.Cors/Controllers/AdminController.cs
@@ -14,6 +14,8 @@ namespace OrchardCore.Cors.Controllers;
 [Admin]
 public sealed class AdminController : Controller
 {
+    private const string AnyOrigin = "*";
+
     private readonly IShellHost _shellHost;
     private readonly ShellSettings _shellSettings;
     private readonly IAuthorizationService _authorizationService;
@@ -102,25 +104,35 @@ public async Task<ActionResult> IndexPOST()
 
         foreach (var settingViewModel in model.Policies)
         {
-            corsPolicies.Add(new CorsPolicySetting
-            {
-                Name = settingViewModel.Name,
-                AllowAnyHeader = settingViewModel.AllowAnyHeader,
-                AllowAnyMethod = settingViewModel.AllowAnyMethod,
-                AllowAnyOrigin = settingViewModel.AllowAnyOrigin,
-                AllowCredentials = settingViewModel.AllowCredentials,
-                AllowedHeaders = settingViewModel.AllowedHeaders,
-                AllowedMethods = settingViewModel.AllowedMethods,
-                AllowedOrigins = settingViewModel.AllowedOrigins,
-                IsDefaultPolicy = settingViewModel.IsDefaultPolicy,
-                ExposedHeaders = settingViewModel.ExposedHeaders,
-            });
-
-            if (settingViewModel.AllowAnyOrigin && settingViewModel.AllowCredentials)
+            if (IsAnyOriginAllowed(settingViewModel) && settingViewModel.AllowCredentials)
             {
                 policyWarnings.Add(settingViewModel.Name);
             }
+            else
+            {
+                corsPolicies.Add(new CorsPolicySetting
+                {
+                    Name = settingViewModel.Name,
+                    AllowAnyHeader = settingViewModel.AllowAnyHeader,
+                    AllowAnyMethod = settingViewModel.AllowAnyMethod,
+                    AllowAnyOrigin = settingViewModel.AllowAnyOrigin,
+                    AllowCredentials = settingViewModel.AllowCredentials,
+                    AllowedHeaders = settingViewModel.AllowedHeaders,
+                    AllowedMethods = settingViewModel.AllowedMethods,
+                    AllowedOrigins = settingViewModel.AllowedOrigins,
+                    IsDefaultPolicy = settingViewModel.IsDefaultPolicy,
+                    ExposedHeaders = settingViewModel.ExposedHeaders,
+                });
+            }
+        }
+
+        if (policyWarnings.Count > 0)
+        {
+            await _notifier.WarningAsync(H["Specifying {0} and {1} is an insecure configuration and can result in cross-site request forgery. The CORS service returns an invalid CORS response when an app is configured with both methods.<br /><strong>Affected policies: {2} </strong><br />Refer to docs:<a href='https://learn.microsoft.com/en-us/aspnet/core/security/cors' target='_blank'>https://learn.microsoft.com/en-us/aspnet/core/security/cors</a>", "AllowAnyOrigin", "AllowCredentias", string.Join(", ", policyWarnings)]);
+
+            return View(model);
         }
+
         var corsSettings = new CorsSettings()
         {
             Policies = corsPolicies,
@@ -132,11 +144,9 @@ public async Task<ActionResult> IndexPOST()
 
         await _notifier.SuccessAsync(H["The CORS settings have updated successfully."]);
 
-        if (policyWarnings.Count > 0)
-        {
-            await _notifier.WarningAsync(H["Specifying {0} and {1} is an insecure configuration and can result in cross-site request forgery. The CORS service returns an invalid CORS response when an app is configured with both methods.<br /><strong>Affected policies: {2} </strong><br />Refer to docs:<a href='https://learn.microsoft.com/en-us/aspnet/core/security/cors' target='_blank'>https://learn.microsoft.com/en-us/aspnet/core/security/cors</a>", "AllowAnyOrigin", "AllowCredentias", string.Join(", ", policyWarnings)]);
-        }
-
         return View(model);
     }
+
+    private static bool IsAnyOriginAllowed(CorsPolicyViewModel corsPolicyViewModel)
+        => corsPolicyViewModel.AllowAnyOrigin || corsPolicyViewModel.AllowedOrigins.Any(origin => origin == AnyOrigin);
 }