diff --git a/CHANGELOG.md b/CHANGELOG.md
index 66cd4bdb..67d0046d 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,6 +5,7 @@
 ### Fixes
 
 - YouTube: keep Gemini-only no-caption runs on the transcription path by forwarding the Google API key from the top-level URL flow into link-preview transcription config (#148, thanks @bytrangle).
+- Daemon tests: expand CORS allowlist edge-case coverage for localhost variants, extension-origin casing, spoofed localhost domains, and full trusted response headers (#142, thanks @sebastiondev).
 
 ## 0.12.0 - 2026-03-11
 
diff --git a/tests/daemon.server.test.ts b/tests/daemon.server.test.ts
index b014d97a..9f59bb33 100644
--- a/tests/daemon.server.test.ts
+++ b/tests/daemon.server.test.ts
@@ -37,4 +37,56 @@ describe("daemon/server CORS allowlist", () => {
   it("omits CORS headers when origin is missing", () => {
     expect(corsHeaders(null)).toEqual({});
   });
+
+  // --- Additional edge-case coverage (follow-up to #108) ---
+
+  it.each([
+    "http://localhost",
+    "https://localhost",
+    "https://localhost:8787",
+    "http://127.0.0.1",
+    "https://127.0.0.1:8787",
+    "http://[::1]",
+    "http://localhost:3000",
+  ])("allows localhost variant %s regardless of scheme or port", (origin) => {
+    expect(isTrustedOrigin(origin)).toBe(true);
+    expect(corsHeaders(origin)["access-control-allow-origin"]).toBe(origin);
+  });
+
+  it.each([
+    "CHROME-EXTENSION://abcdef",
+    "Chrome-Extension://abcdef",
+    "MOZ-EXTENSION://abcdef",
+    "Safari-Web-Extension://com.example.summarize",
+  ])("allows case-insensitive extension protocol %s", (origin) => {
+    expect(isTrustedOrigin(origin)).toBe(true);
+  });
+
+  it.each([
+    "http://localhost.evil.com",
+    "http://localhost.evil.com:8787",
+    "http://127.0.0.2:8787",
+    "http://0.0.0.0:8787",
+    "null",
+    "javascript:alert(1)",
+    "data:text/html,<h1>test</h1>",
+    "chrome-extension-evil://abc",
+    "",
+  ])("rejects bypass attempt %s", (origin) => {
+    expect(isTrustedOrigin(origin)).toBe(false);
+    expect(corsHeaders(origin)).toEqual({});
+  });
+
+  it("returns the full set of CORS headers for a trusted origin", () => {
+    const headers = corsHeaders("http://localhost:8787");
+    expect(headers).toEqual({
+      "access-control-allow-origin": "http://localhost:8787",
+      "access-control-allow-credentials": "true",
+      "access-control-allow-headers": "authorization, content-type",
+      "access-control-allow-methods": "GET,POST,OPTIONS",
+      "access-control-allow-private-network": "true",
+      "access-control-max-age": "600",
+      vary: "Origin",
+    });
+  });
 });