proposal: net/http/cookiejar: `Secure` should not be checked on `localhost`

[zekroTJA]

Most browsers cookie implementation have an exception for the Secure flag when the request is send to a localhost domain (as stated in the MDN web docs).

I would appreciate if this behavior would be reflected in Go's cookie jar implementation. Probably best would be to add a new Options property which actively enables this behavior, so that it is disabled by default to avoid changing the currently expected behavior.

If this suggestion gets accepted, I would appreciate to take a try on an implementation contribution.

[ianlancetaylor]

CC @neild @bradfitz @nigeltao