Currently, mixed content checks block http://127.0.0.1 from loading in a page delivered over TLS. I'm (belatedly) coming around to the idea that that restriction does more harm than good. In particular, I'll note that folks are installing new trusted roots and self-signing certs for that IP address, exposing themselves to additional risk for minimal benefit. Helpful locally installed software is doing the same, with even more associated risk.
I'd like to change MIX to use the Secure Contexts spec's notion of "potentially trustworthy" origins as opposed to toggling strictly based on the URL's protocol. This would be a normative change that would force us back to CR again. shrug Seems like it might be worth doing anyway.
Currently, mixed content checks block
http://127.0.0.1from loading in a page delivered over TLS. I'm (belatedly) coming around to the idea that that restriction does more harm than good. In particular, I'll note that folks are installing new trusted roots and self-signing certs for that IP address, exposing themselves to additional risk for minimal benefit. Helpful locally installed software is doing the same, with even more associated risk.I'd like to change MIX to use the Secure Contexts spec's notion of "potentially trustworthy" origins as opposed to toggling strictly based on the URL's protocol. This would be a normative change that would force us back to CR again. shrug Seems like it might be worth doing anyway.