Comment by diogocp
> We absolutely need a localhost and local domain exemption for both TLS/X.509 certificate validation and web APIs.
localhost is already considered a secure origin.
Local networks are horribly insecure; easily the most likely place for a MITM attack.
Ah, that’s good – it’s been a while since I last had to work around that.
And I generally agree on local networks being insecure. So how about making them more secure instead of marginalizing them even more?
TOFU for TLS certs on .local (for Zeroconf, and maybe something else/new for local DNS) would be a huge step forward from unencrypted and unauthenticated HTTP. Such sites could even still be displayed with a broken padlock or whatever HTTP gets these days to not create any false expectations by users.