CorsHandler.cs

       public class CorsHandler : DelegatingHandler
       {
              private const string _trustedRegex = @"((https?\:\/\/)?(.+\.)?thisismydomain\.com)|((https?\:\/\/)?localhost:[\d]+)";

              protected override Task<HttpResponseMessage> SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
              {
                     // runs before controller
                     var response = base.SendAsync(request, cancellationToken);
                     // runs after controller

                     IEnumerable<string> origins;
                     request.Headers.TryGetValues("Origin", out origins);
                     var firstOrigin = origins?.FirstOrDefault();

                     if (firstOrigin != null && Regex.IsMatch(firstOrigin, _trustedRegex)) {
                           response.Result.Headers.Add("Access-Control-Allow-Origin", firstOrigin);
                           response.Result.Headers.Add("Access-Control-Allow-Headers", "*");
                           response.Result.Headers.Add("Access-Control-Allow-Credentials", "true");
                     }

                     return response;
              }
       }