From 353b596a6d83eb010c0ab50cc35576943192784b Mon Sep 17 00:00:00 2001
From: Nick Krantz <125900171+nick-livefront@users.noreply.github.com>
Date: Fri, 5 Sep 2025 10:59:36 -0500
Subject: [PATCH] [PM-25390] CORS - Password Change URI (#6287)

* enable cors headers for icons program
- This is needed now that browsers can hit the change-password-uri path via API call

* Add absolute route for change-password-uri
---
 src/Icons/Controllers/ChangePasswordUriController.cs | 2 +-
 src/Icons/Startup.cs                                 | 3 +++
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/Icons/Controllers/ChangePasswordUriController.cs b/src/Icons/Controllers/ChangePasswordUriController.cs
index 3f2bc91cf2..935cda77df 100644
--- a/src/Icons/Controllers/ChangePasswordUriController.cs
+++ b/src/Icons/Controllers/ChangePasswordUriController.cs
@@ -5,7 +5,7 @@ using Microsoft.Extensions.Caching.Memory;
 
 namespace Bit.Icons.Controllers;
 
-[Route("change-password-uri")]
+[Route("~/change-password-uri")]
 public class ChangePasswordUriController : Controller
 {
     private readonly IMemoryCache _memoryCache;
diff --git a/src/Icons/Startup.cs b/src/Icons/Startup.cs
index 16bbdef553..2602dd6264 100644
--- a/src/Icons/Startup.cs
+++ b/src/Icons/Startup.cs
@@ -92,6 +92,9 @@ public class Startup
             await next();
         });
 
+        app.UseCors(policy => policy.SetIsOriginAllowed(o => CoreHelpers.IsCorsOriginAllowed(o, globalSettings))
+            .AllowAnyMethod().AllowAnyHeader().AllowCredentials());
+
         app.UseRouting();
         app.UseEndpoints(endpoints => endpoints.MapDefaultControllerRoute());
     }