From f50ffb2b92b97482d4014cc3baa930840a67b78d Mon Sep 17 00:00:00 2001
From: "J. Nick Koston" <nick@home-assistant.io>
Date: Sun, 14 Dec 2025 09:09:24 -0600
Subject: [PATCH] cover

---
 tests/dashboard/test_web_server.py | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)

diff --git a/tests/dashboard/test_web_server.py b/tests/dashboard/test_web_server.py
index 9da8b8f6f9..10ca6061e6 100644
--- a/tests/dashboard/test_web_server.py
+++ b/tests/dashboard/test_web_server.py
@@ -1569,6 +1569,32 @@ async def test_dashboard_yaml_loading_with_packages_and_secrets(
     assert config["esphome"]["name"] == "test-download-secrets"
 
 
+@pytest.mark.asyncio
+async def test_websocket_check_origin_default_same_origin(
+    dashboard: DashboardTestHelper,
+) -> None:
+    """Test WebSocket uses default same-origin check when ESPHOME_TRUSTED_DOMAINS not set."""
+    # Ensure ESPHOME_TRUSTED_DOMAINS is not set
+    env = os.environ.copy()
+    env.pop("ESPHOME_TRUSTED_DOMAINS", None)
+    with patch.dict(os.environ, env, clear=True):
+        from tornado.httpclient import HTTPRequest
+
+        url = f"ws://127.0.0.1:{dashboard.port}/events"
+        # Same origin should work (default Tornado behavior)
+        request = HTTPRequest(
+            url, headers={"Origin": f"http://127.0.0.1:{dashboard.port}"}
+        )
+        ws = await websocket_connect(request)
+        try:
+            msg = await ws.read_message()
+            assert msg is not None
+            data = json.loads(msg)
+            assert data["event"] == "initial_state"
+        finally:
+            ws.close()
+
+
 @pytest.mark.asyncio
 async def test_websocket_check_origin_trusted_domain(
     dashboard: DashboardTestHelper,