Closed justinmayer closed 5 years ago
As a follow-up to this topic:
localhost
.localhost
and/or 127.0.0.1
are secure origins seems to still be under debate.In short, there is a possibility that someday we may have to revert this and go back to HTTPS for localhost, but hopefully that will not come to pass. 🤞
@Natim mentioned that the demo project appears to work on localhost over HTTP via standard
runserver
, while we previously assumed HTTPS and thusrunserver_plus
were required.At first I was a bit worried about this… Since my understanding is that HTTPS is required for WebAuthn, I thought perhaps that could mean something is awry. I did some more reading, and it seems HTTPS is required for the older U2F standard, while WebAuthn relaxes this restriction for localhost origins and only requires a "secure context", which means HTTP for localhost and HTTPS for all other origins:
A welcome improvement to the standard, in my opinion. 👏
So perhaps we can remove
django-extensions
, changerunserver_plus
references torunserver
, and add documentation explaining that users will need HTTPS for non-localhost origins.