README - clarify service worker + localhost info

[mike-north]

The That browser warning section of the readme states

When using Chrome you can enable the allow-insecure-localhost flag on chrome://flags which disableѕ the certificate warning for localhost. This flag is required if you want to use ServiceWorkers.

However the Chromium FAQ on service worker debugging reads

Q: I get an error message about "Only secure origins are allowed". Why?

A: Service workers are only available to "secure origins" (HTTPS sites, basically) in line with a policy to prefer secure origins for powerful new features. However http://localhost is also considered a secure origin, so if you can, developing on localhost is an easy way to avoid this error.

I think the nuance here comes from the fact that, although the spec for HTTP/2 doesn't require secure connections, it has only been implemented in modern browsers for TLS connections. Thus, I think the issue at hand is:

• We must use https to serve over HTTP/2
• As this library is implemented, a CA cert is generated on the fly, which puts us in a state where we're using https and encountering a certificate error
• Although service workers would operate without issue on HTTP://localhost, they won't be happy with HTTPS://localhost if a certificate error is encountered
• Now we need to either trust the self-signed CA cert (dangerous) or use the chrome flag, to make our browser happy with using HTTP/2 with a service worker.

---

Why should we care? There's a common misconception that developers must trust a certificate when developing with service workers on http://localhost. The current README language is broad enough to reinforce this misconception.

[googlebot]

Thanks for your pull request. It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

:memo: Please visit https://cla.developers.google.com/ to sign.

Once you've signed, please reply here (e.g. I signed it!) and we'll verify. Thanks.

---

• If you've already signed a CLA, it's possible we don't have your GitHub username or you're using a different email address. Check your existing CLA data and verify that your email is set on your git commits.
• If your company signed a CLA, they designated a Point of Contact who decides which employees are authorized to participate. You may need to contact the Point of Contact for your company and ask to be added to the group of authorized contributors. If you don't know who your Point of Contact is, direct the project maintainer to go/cla#troubleshoot.
• In order to pass this check, please resolve this problem and have the pull request author add another comment and the bot will run again.

[mike-north]

I signed it!

[googlebot]

CLAs look good, thanks!

[surma]

Yup, that makes a lot of sense. Thank you very much, @mike-north!