diff --git a/src/gateway/origin-check.test.ts b/src/gateway/origin-check.test.ts
index 50c031e927d..aee605375f6 100644
--- a/src/gateway/origin-check.test.ts
+++ b/src/gateway/origin-check.test.ts
@@ -100,4 +100,46 @@ describe("checkBrowserOrigin", () => {
     });
     expect(result.ok).toBe(true);
   });
+
+  it("accepts non-standard scheme origins (tauri://) via raw string fallback", () => {
+    const result = checkBrowserOrigin({
+      requestHost: "gateway.tailnet.ts.net",
+      origin: "tauri://localhost",
+      allowedOrigins: ["tauri://localhost"],
+    });
+    expect(result.ok).toBe(true);
+    if (result.ok) {
+      expect(result.matchedBy).toBe("allowlist");
+    }
+  });
+
+  it("accepts non-standard scheme origins (capacitor://) via raw string fallback", () => {
+    const result = checkBrowserOrigin({
+      requestHost: "gateway.tailnet.ts.net",
+      origin: "capacitor://localhost",
+      allowedOrigins: ["capacitor://localhost"],
+    });
+    expect(result.ok).toBe(true);
+    if (result.ok) {
+      expect(result.matchedBy).toBe("allowlist");
+    }
+  });
+
+  it("rejects non-standard scheme origins not in allowlist", () => {
+    const result = checkBrowserOrigin({
+      requestHost: "gateway.tailnet.ts.net",
+      origin: "tauri://localhost",
+      allowedOrigins: ["https://control.example.com"],
+    });
+    expect(result.ok).toBe(false);
+  });
+
+  it("matches non-standard scheme origins case-insensitively", () => {
+    const result = checkBrowserOrigin({
+      requestHost: "gateway.tailnet.ts.net",
+      origin: "Tauri://Localhost",
+      allowedOrigins: ["tauri://localhost"],
+    });
+    expect(result.ok).toBe(true);
+  });
 });
diff --git a/src/gateway/origin-check.ts b/src/gateway/origin-check.ts
index d6795a7b64e..386f32b0432 100644
--- a/src/gateway/origin-check.ts
+++ b/src/gateway/origin-check.ts
@@ -9,17 +9,23 @@ type OriginCheckResult =
 
 function parseOrigin(
   originRaw?: string,
-): { origin: string; host: string; hostname: string } | null {
+): { origin: string; host: string; hostname: string; raw: string } | null {
   const trimmed = (originRaw ?? "").trim();
   if (!trimmed || trimmed === "null") {
     return null;
   }
   try {
     const url = new URL(trimmed);
+    const raw = trimmed.toLowerCase();
+    // Non-standard schemes (e.g. tauri://, capacitor://) produce a "null" origin
+    // from the URL parser. Preserve the raw input for allowlist matching so
+    // configured entries like "tauri://localhost" can still match.
+    const origin = url.origin === "null" ? raw : url.origin.toLowerCase();
     return {
-      origin: url.origin.toLowerCase(),
+      origin,
       host: url.host.toLowerCase(),
       hostname: url.hostname.toLowerCase(),
+      raw,
     };
   } catch {
     return null;