ASP.NET Core’s SetIsOriginAllowed method gives you full control over whether or not an origin is allowed to participate in CORS. Here’s an example based on your code sample:
if(_environment.IsDevelopment())
{
options.AddDefaultPolicy(builder =>
{
builder.SetIsOriginAllowed(origin => new Uri(origin).Host == "localhost");
});
}
else
{
// ...
}
The origin value passed in to the SetIsOriginAllowed delegate is the full origin, which looks something like http://localhost:8080. Using Uri, the code above compares the Host against localhost, which ends up allowing all localhost origins.