diff --git a/src/Microsoft.AspNetCore.Cors/Infrastructure/CorsPolicyBuilder.cs b/src/Microsoft.AspNetCore.Cors/Infrastructure/CorsPolicyBuilder.cs
index 88e16fa0fa..3953296168 100644
--- a/src/Microsoft.AspNetCore.Cors/Infrastructure/CorsPolicyBuilder.cs
+++ b/src/Microsoft.AspNetCore.Cors/Infrastructure/CorsPolicyBuilder.cs
@@ -38,9 +38,9 @@ namespace Microsoft.AspNetCore.Cors.Infrastructure
         /// <returns>The current policy builder.</returns>
         public CorsPolicyBuilder WithOrigins(params string[] origins)
         {
-            foreach (var req in origins)
+            foreach (var origin in origins)
             {
-                _policy.Origins.Add(req);
+                _policy.Origins.Add(origin.ToLowerInvariant());
             }
 
             return this;
diff --git a/test/Microsoft.AspNetCore.Cors.Test/CorsPolicyBuilderTests.cs b/test/Microsoft.AspNetCore.Cors.Test/CorsPolicyBuilderTests.cs
index 8a223ad225..c9b3afca84 100644
--- a/test/Microsoft.AspNetCore.Cors.Test/CorsPolicyBuilderTests.cs
+++ b/test/Microsoft.AspNetCore.Cors.Test/CorsPolicyBuilderTests.cs
@@ -128,6 +128,17 @@ namespace Microsoft.AspNetCore.Cors.Infrastructure
             Assert.Equal(new List<string>() { "http://example.com", "http://example2.com" }, corsPolicy.Origins);
         }
 
+        [Fact]
+        public void WithOrigins_NormalizesOrigins()
+        {
+            // Arrange
+            var builder = new CorsPolicyBuilder("http://www.EXAMPLE.com", "HTTPS://example2.com");
+
+            // Assert
+            var corsPolicy = builder.Build();
+            Assert.Equal(new List<string>() { "http://www.example.com", "https://example2.com" }, corsPolicy.Origins);
+        }
+
         [Fact]
         public void AllowAnyOrigin_AllowsAny()
         {