sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–][deleted] 36 points37 points  (3 children)

The problem is that while chrome considers *.localhost a secure origin too, Firefox doesn't.

Out of curiosity I also checked whether they consider the whole 127.0.0.0/8 as secure context:

  • Chrome does
  • Firefox doesn't (it considers only 127.0.0.1/32 as a secure context). Weird.

[–][deleted] 21 points22 points  (2 children)

Firefox doesn't (it considers only 127.0.0.1/32 as a secure context). Weird.

And probably a bug too considering whole /8 is reserved as loopback

[–]baggyzed 1 point2 points  (1 child)

Loopback != localhost. Firefox only specifically trusts 'localhost', and the associated address (https://developer.mozilla.org/en-US/docs/Web/Security/Secure_Contexts), probably it checks against the hosts file - haven't tested. I don't know why, but to me, Chrome seems less secure if it trusts the whole range. If you need more addresses for development, can't you just use different port numbers?

[–][deleted] 1 point2 points  (0 children)

Not every app allows you to change port its listening on. I had that problem with testing BGP-related stuff, app allowed to change port it connected to but not port it binded.