Exception, when origin is null in CorsPolicyExtensions.cs

[glatzert]

After Login with ADFS, Chrome produces an POST request to my ASP.net Application, with the following Contents:

Metadata

Request URL:http://localhost:11645/signin-oidc
Request Method:POST
Status Code:500 Internal Server Error
Remote Address:[::1]:11645
Referrer Policy:no-referrer-when-downgrade

Request Headers

Provisional headers are shown
Content-Type:application/x-www-form-urlencoded
Origin:null
Upgrade-Insecure-Requests:1
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.84 Safari/537.36

CorsPolicyExtension.IsOriginAnAllowedSubdomain will now throw the following:

System.UriFormatException: Invalid URI: The format of the URI could not be determined.

Which happens, because origin, is null and still gets passed to the check function.

Addendum:
Origin is not null as I triaged on my first try- it's "null" - which might or might not be a bug in Chrome ...

[mkArtakMSFT]

@jbagga, can you please investigate this?
@glatzert, can you please share a project we can repro with?

[glatzert]

@mkArtakMSFT I can make some project up, if you like, but essentially use

app.UseCors(cors => cors.SetIsOriginAllowedToAllowWildcardSubdomains()) anywhere, and then forge a POST with a header Origin: whatever-non-uir-you-like-here.

It boils down to missing this one in the code:

if (!Uri.IsWellFormedUriString(origin, UriKind.Absolute)) return true;

[mkArtakMSFT]

@glatzert, to avoid any misunderstandings, I would appreciate if you could still share the very-minimum project with a repro.

[glatzert]

CORSRepro.zip
Here you go - Edge does not reproduce the Error, but Chrome will do. I did not test Firefox nor Safari

[aspnet-hello]

This issue was moved to dotnet/aspnetcore#2318