Please see this link for help: https://github.com/aspnet/CORS/blob/master/src/Microsoft.AspNetCore.Cors/Infrastructure/CorsService.cs#L104
The method EvaluatePolicy returns an intermediate CorsResult that indicates the necessary action to take (which headers to set, whether to respond to an identified preflight request). Apply result is then used to apply these changes to the HttpResponse. This intermediate CorsResult checks for the request origin header and evaluates to either true or false.
See this link for when the browsers set the origin header: When do browsers send the Origin header? When do browsers set the origin to null?