According to CORS spec (http://www.w3.org/TR/cors/#resource-requests) for simple request origin comparison is case sensitive:
If the value of the Origin header is not a case-sensitive match for any of the values in list of origins, do not set any additional headers and terminate this set of steps.
However the corresponding source code doesn't act like that:
```
else if (policy.Origins.Contains(requestContext.Origin, StringComparer.OrdinalIgnoreCase))
{
result.AllowedOrigin = requestContext.Origin;
}
```
If the value of the Origin header is not a case-sensitive match for any of the values in list of origins, do not set any additional headers and terminate this set of steps.
However the corresponding source code doesn't act like that:
```
else if (policy.Origins.Contains(requestContext.Origin, StringComparer.OrdinalIgnoreCase))
{
result.AllowedOrigin = requestContext.Origin;
}
```