According to CORS spec (http://www.w3.org/TR/cors/#resource-requests) for simple request origin comparison is case sensitive:
If the value of the Origin header is not a case-sensitive match for any of the values in list of origins, do not set any additional headers and terminate this set of steps.
However the corresponding source code doesn't act like that:
```
else if (policy.Origins.Contains(requestContext.Origin, StringComparer.OrdinalIgnoreCase))
{
result.AllowedOrigin = requestContext.Origin;
}
```
Comments: https://aspnetwebstack.codeplex.com/SourceControl/changeset/7fe40652f0660896b914aa75b567cced3bdce539
If the value of the Origin header is not a case-sensitive match for any of the values in list of origins, do not set any additional headers and terminate this set of steps.
However the corresponding source code doesn't act like that:
```
else if (policy.Origins.Contains(requestContext.Origin, StringComparer.OrdinalIgnoreCase))
{
result.AllowedOrigin = requestContext.Origin;
}
```
Comments: https://aspnetwebstack.codeplex.com/SourceControl/changeset/7fe40652f0660896b914aa75b567cced3bdce539