Trust .localhost addresses without certificates
@d3vid
Submitted by David Seaward Link to original bug (#785056)
Description
Steps to reproduce:
- Visit a localhost URL [1]
- Start entering a password in a form
What should happen:
- Password captured
What happens instead:
- First, a warning appears "Heads-up: this form is not secure. If you type your password, it will be visible to cybercriminals!"
- Then, password is captured as expected
Notes:
- My understanding is that http and https addresses on localhost can/should be trusted, even if there is no certificate or CA. There is the possibility that /etc/hosts has been tampered with, but this implies a compromised system anyhow.
- The only alternative I have found is to define a local CA, explicitly trust it, and use that CA to generate certificate(s) for localhost and .localhost domains. This seems unnecessarily complex.
- Chrome has a flag for this: https://superuser.com/a/903159/29994
[1] Examples include:
- http://localhost
- http://127.0.0.1
- http://localhost:3000
- https://localhost (local certificate with no CA)
- http://subdomain.localhost
Version: 3.24.x (obsolete)