diff --git a/src/Middleware/CORS/src/Infrastructure/CorsPolicyBuilder.cs b/src/Middleware/CORS/src/Infrastructure/CorsPolicyBuilder.cs
index 667c79d733..433512a231 100644
--- a/src/Middleware/CORS/src/Infrastructure/CorsPolicyBuilder.cs
+++ b/src/Middleware/CORS/src/Infrastructure/CorsPolicyBuilder.cs
@@ -54,6 +54,11 @@ namespace Microsoft.AspNetCore.Cors.Infrastructure
///
public CorsPolicyBuilder WithOrigins(params string[] origins)
{
+ if (origins is null)
+ {
+ throw new ArgumentNullException(nameof(origins));
+ }
+
foreach (var origin in origins)
{
var normalizedOrigin = GetNormalizedOrigin(origin);
@@ -65,6 +70,11 @@ namespace Microsoft.AspNetCore.Cors.Infrastructure
internal static string GetNormalizedOrigin(string origin)
{
+ if (origin is null)
+ {
+ throw new ArgumentNullException(nameof(origin));
+ }
+
if (Uri.TryCreate(origin, UriKind.Absolute, out var uri) &&
(uri.Scheme == Uri.UriSchemeHttp || uri.Scheme == Uri.UriSchemeHttps) &&
!string.Equals(uri.IdnHost, uri.Host, StringComparison.Ordinal))
@@ -73,9 +83,9 @@ namespace Microsoft.AspNetCore.Cors.Infrastructure
if (!uri.IsDefaultPort)
{
// Uri does not have a way to differentiate between a port value inferred by default (e.g. Port = 80 for http://www.example.com) and
- // a default port value that is specified (e.g. Port = 80 for http://www.example.com:80). Although the HTTP or FETCH spec does not say
+ // a default port value that is specified (e.g. Port = 80 for http://www.example.com:80). Although the HTTP or FETCH spec does not say
// anything about including the default port as part of the Origin header, at the time of writing, browsers drop "default" port when navigating
- // and when sending the Origin header. All this goes to say, it appears OK to drop an explicitly specified port,
+ // and when sending the Origin header. All this goes to say, it appears OK to drop an explicitly specified port,
// if it is the default port when working with an IDN host.
builder.Port = uri.Port;
}
@@ -208,7 +218,7 @@ namespace Microsoft.AspNetCore.Cors.Infrastructure
///
/// Sets the property of the policy to be a function
- /// that allows origins to match a configured wildcarded domain when evaluating if the
+ /// that allows origins to match a configured wildcarded domain when evaluating if the
/// origin is allowed.
///
/// The current policy builder.
diff --git a/src/Middleware/CORS/test/UnitTests/CorsPolicyBuilderTests.cs b/src/Middleware/CORS/test/UnitTests/CorsPolicyBuilderTests.cs
index f8d2e22fd4..82c7c0b4ee 100644
--- a/src/Middleware/CORS/test/UnitTests/CorsPolicyBuilderTests.cs
+++ b/src/Middleware/CORS/test/UnitTests/CorsPolicyBuilderTests.cs
@@ -139,6 +139,28 @@ namespace Microsoft.AspNetCore.Cors.Infrastructure
Assert.Equal(new List() { "http://www.example.com", "https://example2.com" }, corsPolicy.Origins);
}
+ [Fact]
+ public void WithOrigins_ThrowsIfArgumentNull()
+ {
+ // Arrange
+ var builder = new CorsPolicyBuilder();
+ string[] args = null;
+
+ // Act / Assert
+ Assert.Throws(() => builder.WithOrigins(args));
+ }
+
+ [Fact]
+ public void WithOrigins_ThrowsIfArgumentArrayContainsNull()
+ {
+ // Arrange
+ var builder = new CorsPolicyBuilder();
+ string[] args = new string[] { null };
+
+ // Act / Assert
+ Assert.Throws(() => builder.WithOrigins(args));
+ }
+
[Fact]
public void AllowAnyOrigin_AllowsAny()
{