development – Make SetIsOriginAllowed Safe for SharePoint WebAPI?

I’m working on a test WebAPI for SharePoint that is secured with Azure AD via bearer tokens. At first, I manually specified every allowed origin with a statement like this inside ConfigureServices of Startup.cs:

services.AddCors(options =>
    {
        // https://docs.microsoft.com/en-us/aspnet/core/security/cors?view=aspnetcore-5.0
        // https://www.yogihosting.com/aspnet-core-enable-cors/
        options.AddPolicy(
            "SharePointOnline",
            builder =>
            {
                builder.WithOrigins(
                    "https://myExampleTenantName-3a3324d2e332a3.sharepoint.com",
                    "https://myExampleTenantName-3a3324d2e332a4.sharepoint.com",
                    "https://myExampleTenantName-3a3324d2e332a5.sharepoint.com",
                ).AllowAnyHeader().AllowAnyMethod().AllowCredentials();
            }
        );
    }
);

Unfortunately, this got to be annoying pretty quick. Every time I would install a SharePoint Add-in, my Add-in would get a new AppHash similar to the “3a3324d2e332a3”, “3a3324d2e332a4” and “3a3324d2e332a5” shown above. I would then have to go into the WebAPI and add an origin entry for the newly deployed Add-in. I thought about reading the origins from a config file or database, but then I stumbled across a wildcard method by Granger (and others) over in SO https://stackoverflow.com/questions/8197812/how-do-i-configure-notepad-to-use-spaces-instead-of-tabs

So then I tried this, but I’m wondering if it’s “safe”:

services.AddCors(options =>
{
    // Granger: 
    // https://stackoverflow.com/questions/36877652/
    //    configure-cors-to-allow-all-subdomains-using-asp-net-core-asp-net-5-mvc6-vnex
    // https://docs.microsoft.com/en-us/aspnet/core/security/cors?view=aspnetcore-5.0
    // https://www.yogihosting.com/aspnet-core-enable-cors/
    options.AddPolicy(
        "SharePointOnline",
        builder =>
        {
            builder.SetIsOriginAllowed(
                o => Regex.IsMatch(
                    o, 
                    "https://myExampleTenantName.*\.sharepoint\.com"
                )
            ).AllowAnyHeader()
            .AllowAnyMethod()
            .AllowCredentials();
        }
    );
}

While the RexEx “https://myExampleTenantName.*.sharepoint.com” will match all of my Add-ins regardless of AppHash, I’m afraid someone can go into SharePoint and create a tenant named myExampleTenantNameEvil and fool my RegEx into allowing requests from their “Evil” origin.

I’m thinking that I can tighten my RegEx by using something like https://myExampleTenantName-(a-f0-9).*.sharepoint.com , but I’m still concerned even that might not be “safe”.

To make matters worse, I thought I’ve read in various places such as StackOverflow that you can’t rely on Same-Origin policy to protect against Cross-Site Request Forgery XSRF/CSRF attacks anyway…

Is there a RegEx or some C# I can use inside the SetIsOriginAllowed function to only allow origins from SharePoint Add-ins running on tenant myExampleTenantName?

NOTE: I know this question is very focused on the WebAPI aspect of the application chain, but the problem stems from that fact that SharePoint insists on appending that irritating AppHash to my tenant name to form the FQDN for installed Add-ins.