Accessing localhost from a secure context?

[ShivanKaul]

I had a follow-up question about the rollout plan for the Private Network Access spec after last week's TPAC update.

Is the plan to eventually disallow public HTTPS websites from accessing localhost and require a CORS grant? https://developer.chrome.com/blog/private-network-access-update/#accessing-localhost explicitly carves out an exception for localhost and recommends developers to simply update their public websites to be HTTPS, but the spec doesn't have that allowance.

[mikewest]

I think the article you're pointing to was trying to distinguish localhost from 192.168.1.5, where the former is considered to be secure-enough for the purposes of mixed content, while the latter is not. My understanding of the plan is that both will eventually require reasonable preflight responses; the latter will also require the user-facing permission prompt @iVanlIsh and @johnathan79717 discussed.

[iVanlIsh]

Mike is correct. localhost is considered as secure-enough context so that it can pass the mixed content check and won't need permission prompt. However, every request coming from public/private ip addresses to localhost will eventually requires private network access CORS preflights: https://developer.chrome.com/blog/private-network-access-preflight/