Localhost Security Messaging

December 31st, 2022
tech
Browsers these days either mark sites with a padlock (https://) or "not secure" (http://). This warns the users that without the protection of "https://" your communications could be read or modified by any network your packets travel over. But how should "http://localhost" be marked? That's your own computer so it's secure, but the connection isn't encrypted so a padlock would be misleading.

It turns out that the browsers have three options for the url bar, not just secure and insecure. Here's what they look like in Firefox:

Chrome:

Safari:

Despite the unusual URL bar treatment, the major browsers do now all treat this configuration as a secure context (spec), which means you can use features that require secure contexts, like crypto, MIDI, or geolocation.

Comment via: facebook, lesswrong, mastodon, substack

Recent posts on blogs I like:

Thing of Things AI use policy

dynomight recently wrote an article calling for bloggers to state publicly whether and how they use AI

via Thing of Things July 6, 2026

Agentic test processes, LLM benchmarks, and other notes on agentic coding from Galapagos Island

I've been using AI fairly heavily since last November and the whole thing is a funny experience. An agent will do something that, if a human did it, you'd immediately fire them. My reaction, of course, is to act as if this is great and spin up a t…

via Posts on July 3, 2026

Variable fonts aren't universally supported

I make a lot of webpages. I also use Lockdown Mode on iOS and MacOS for a bit of extra security. Sometimes I realize that I forgot to test on Safari and it looks like crap, or I test and don’t notice that there’s been a problem for months (as was the case…

via Home June 27, 2026

more     (via openring)