Added override for VaryByOrigin when using asterisk.

[LuckyWraptor]

Originating issue dotnet/aspnetcore/issues/3299.

This fix allows clients to use the following 2 approaches allow the enabling of the Vary: 'Origin' header when using an asterisk in the WithOrigins() function for the CorsPolicyBuilder

services.AddCors(options =>
{
    options.AddPolicy("Policy1",
        builder => builder
            .WithOrigins("*")
            .SetIsOriginAllowed(IsOriginAllowed(env))
    );
});

And even single origin domains using a wildcard:

services.AddCors(options =>
{
    options.AddPolicy("Policy1",
        builder => builder
            .WithOrigins("*.domain.com")
    );
});

Without having to do a hacky workaround like described in the issue above.

This should be an easy fix with low to none conflicts.

[LuckyWraptor]

Care to review? Thank you

[LuckyWraptor]

@mkArtakMSFT Would you mind getting someone on this easy fix?

[javiercn]

@FlyingWraptor I'm looking at it

[pranavkm]

IMO, this isn't correct. The behavior for IsOriginAllowed is allowed to be user defined which means the user code could have just as likely said "IsOriginAllowed = origin => origin.EndsWith("blah.com");which would make this check incorrect. We should add a property toCorsPolicy` that allows configuring this and use the line above as the default implementation.

i.e. CorsPolicy.IsVaryByOriginRequired => origin => Origins.Count > 1 || origin.Contains("*")

[javiercn]

@pranavkm maybe we can redesign this in 3.0 and clean it up?

[pranavkm]

maybe we can redesign this in 3.0 and clean it up

Yes please 👍

[mkArtakMSFT]

@javiercn, please file an issue to not forget about this in 3.0.

[javiercn]

dotnet/aspnetcore#3452

[LuckyWraptor]

Due to there still being imperfections I will close the merge request.