Issue 1159077 in chromium: Flag expired : allow-insecure-localhost

[craigtumblison via monorail]

Updates:
Labels: Hotlist-gTech Hotlist-gTech-Channel-Stable Hotlist-gTech-Source-Feedback Hotlist-gTech-Reporting-Surfaced

Comment #1 on issue 1159077 by craigtu...@chromium.org: Flag expired : allow-insecure-localhost
https://bugs.chromium.org/p/chromium/issues/detail?id=1159077#c1

Hey all,

We're seeing feedback reports mentioning this flag expiration:
- https://listnr.corp.google.com/report/88170909037
- https://listnr.corp.google.com/report/88171694727
- https://listnr.corp.google.com/report/88171555281
- https://listnr.corp.google.com/report/88171241008
- https://listnr.corp.google.com/report/88171008863

Just flagging in case this should be re-reviewed.

Thanks!

--
You received this message because:
1. You are auto-CC'd on all issues in component Internals>Flags>Expired

You may adjust your notification preferences at:
https://bugs.chromium.org/hosting/settings

Reply to this email to add a comment or make updates.

[craigtumblison via monorail]

Comment #2 on issue 1159077 by craigtu...@chromium.org: Flag expired : allow-insecure-localhost
https://bugs.chromium.org/p/chromium/issues/detail?id=1159077#c2

Issue 1168467 has been merged into this issue.

[henri.cook via monorail]

Comment #3 on issue 1159077 by henri...@gmail.com: Flag expired : allow-insecure-localhost
https://bugs.chromium.org/p/chromium/issues/detail?id=1159077#c3

This is exceptionally inconvenient, it's taken out most of our team today and we're either downgrading or moving to Firefox.

What's the alternative for developers working against locally hosted services that require https with a self-signed cert (please don't say generating your own CA)

[henri.cook via monorail]

Comment #4 on issue 1159077 by henri...@gmail.com: Flag expired : allow-insecure-localhost
https://bugs.chromium.org/p/chromium/issues/detail?id=1159077#c4

This is exceptionally inconvenient, it's taken out most of our team today and we're either downgrading or moving to Firefox.

What's the alternative for developers working against locally hosted services that require https with a self-signed cert? (please don't say generating your own CA)

[avi via monorail]

Updates:
Owner: est...@chromium.org
Status: Assigned

Comment #6 on issue 1159077 by a...@chromium.org: Flag expired : allow-insecure-localhost
https://bugs.chromium.org/p/chromium/issues/detail?id=1159077#c6

This was unexpired with https://crrev.com/c/2595514, but that landed in Chrome 89. Does this need a merge?

Assigning to estark who bumped the flag.

[ellyjones via monorail]

Comment #7 on issue 1159077 by elly...@chromium.org: Flag expired : allow-insecure-localhost
https://bugs.chromium.org/p/chromium/issues/detail?id=1159077#c7

FYI, you can temporarily reinstate the expired flag by setting:

chrome://flags/#temporary-unexpire-flags-m87

to "Enabled" and relaunching Chrome.

[estark via monorail]

Comment #8 on issue 1159077 by est...@chromium.org: Flag expired : allow-insecure-localhost
https://bugs.chromium.org/p/chromium/issues/detail?id=1159077#c8

As mentioned in c6, this flag will be back in Chrome 89. I don't think this is worth a stable respin now that 88 has already gone to stable, though perhaps we could merge it back in if there is a stable respin planned anyway.

In general command-line flags can disappear at any time and relying on them should be avoided. In most cases, http://localhost behaves like https and developing on https://localhost shouldn't be needed. We have an article coming soon on web.dev about how to generate a self-signed CA if http://localhost doesn't suffice.

[srinivassista via monorail]

Comment #9 on issue 1159077 by sriniv...@google.com: Flag expired : allow-insecure-localhost
https://bugs.chromium.org/p/chromium/issues/detail?id=1159077#c9

estark@ pls get this merged to M88 ( we will take it for the next re-spin when it happens). its a safe change to merge and we wont trigger a re-spin for htis but will include it in the next one,

[henri.cook via monorail]

Comment #10 on issue 1159077 by henri...@gmail.com: Flag expired : allow-insecure-localhost
https://bugs.chromium.org/p/chromium/issues/detail?id=1159077#c10

Thank you for the workaround and queueing this up in case of an 88 stable respin.

[estark via monorail]

Comment #11 on issue 1159077 by est...@chromium.org: Flag expired : allow-insecure-localhost
https://bugs.chromium.org/p/chromium/issues/detail?id=1159077#c11

Merge is in the CQ at https://chromium-review.googlesource.com/c/chromium/src/+/2642863

[srinivassista via monorail]

Comment #12 on issue 1159077 by sriniv...@google.com: Flag expired : allow-insecure-localhost
https://bugs.chromium.org/p/chromium/issues/detail?id=1159077#c12

pls add merge-request-88 label and so i can approve it and go through merge process

[estark via monorail]

Updates:
Labels: Merge-Request-88 OS-Android OS-Chrome OS-Linux OS-Mac OS-Windows

Comment #13 on issue 1159077 by est...@chromium.org: Flag expired : allow-insecure-localhost
https://bugs.chromium.org/p/chromium/issues/detail?id=1159077#c13

(No comment was entered for this change.)

[sheriffbot via monorail]

Updates:
Labels: -Merge-Request-88 Merge-Review-88 Hotlist-Merge-Review

Comment #14 on issue 1159077 by sheriffbot: Flag expired : allow-insecure-localhost
https://bugs.chromium.org/p/chromium/issues/detail?id=1159077#c14

This bug requires manual review: Request affecting a post-stable build
Before a merge request will be considered, the following information is required to be added to this bug:

1. Does your merge fit within the Merge Decision Guidelines?
- Chrome: https://chromium.googlesource.com/chromium/src.git/+/master/docs/process/merge_request.md#when-to-request-a-merge
- Chrome OS: https://goto.google.com/cros-release-branch-merge-guidelines
2. Links to the CLs you are requesting to merge.
3. Has the change landed and been verified on ToT?
4. Does this change need to be merged into other active release branches (M-1, M+1)?
5. Why are these changes required in this milestone after branch?
6. Is this a new feature?
7. If it is a new feature, is it behind a flag using finch?

Chrome OS Only:
8. Was the change reviewed and approved by the Eng Prod Representative? See Eng Prod ownership by component: http://go/cros-engprodcomponents

Please contact the milestone owner if you have questions.
Owners: govind@(Android), bindusuvarna@(iOS), marinakz@(ChromeOS), srinivassista @(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

[srinivassista via monorail]

Updates:
Labels: -Merge-Review-88 Merge-Approved-88

Comment #15 on issue 1159077 by sriniv...@google.com: Flag expired : allow-insecure-localhost
https://bugs.chromium.org/p/chromium/issues/detail?id=1159077#c15

Merge approved for M88 branch:4324

[sheriffbot via monorail]

Comment #16 on issue 1159077 by sheriffbot: Flag expired : allow-insecure-localhost
https://bugs.chromium.org/p/chromium/issues/detail?id=1159077#c16

This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible!

If all merges have been completed, please remove any remaining Merge-Approved labels from this issue.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

[wormssmail via monorail]

Comment #17 on issue 1159077 by worms...@gmail.com: Flag expired : allow-insecure-localhost
https://bugs.chromium.org/p/chromium/issues/detail?id=1159077#c17

> In most cases, http://localhost behaves like https and developing on https://localhost shouldn't be needed

If this is a case, would you say "secure" cookies being blocked on http://localhost is a bug?
document.cookie = 'foo=baz; .....; secure''

This works on the production environment but fails on http://localhost. Should a different issue ticket be opened for this?

[henri.cook via monorail]

Comment #18 on issue 1159077 by henri...@gmail.com: Flag expired : allow-insecure-localhost
https://bugs.chromium.org/p/chromium/issues/detail?id=1159077#c18

TBH I knew there was a good reason we developed with https on localhost, but I hadn't yet found the time to go into it to dispute this. This is one of them.

[govind via monorail]

Updates:
Cc: pbom...@chromium.org benm...@chromium.org sriniv...@chromium.org
Labels: -Merge-Approved-88 merge-merged-4324 merge-merged-M88

Comment #19 on issue 1159077 by gov...@google.com: Flag expired : allow-insecure-localhost
https://bugs.chromium.org/p/chromium/issues/detail?id=1159077#c19

This is already merged to M88 - https://chromium-review.googlesource.com/c/chromium/src/+/2642863.

estark@, please request a merge to M89 branch 4389 ASAP if this needs a merge to M89 as well. Thank you.

[srinivassista via monorail]

Updates:
Labels: Merge-Request-89

Comment #20 on issue 1159077 by sriniv...@google.com: Flag expired : allow-insecure-localhost
https://bugs.chromium.org/p/chromium/issues/detail?id=1159077#c20

Yes it is needed for M89 as well so we dont remove it again, i have added the label

[sheriffbot via monorail]

Updates:
Labels: -Merge-Request-89 Merge-Review-89

Comment #21 on issue 1159077 by sheriffbot: Flag expired : allow-insecure-localhost
https://bugs.chromium.org/p/chromium/issues/detail?id=1159077#c21

This bug requires manual review: M89's targeted beta branch promotion date has already passed, so this requires manual review

Before a merge request will be considered, the following information is required to be added to this bug:

1. Does your merge fit within the Merge Decision Guidelines?
- Chrome: https://chromium.googlesource.com/chromium/src.git/+/master/docs/process/merge_request.md#when-to-request-a-merge
- Chrome OS: https://goto.google.com/cros-release-branch-merge-guidelines
2. Links to the CLs you are requesting to merge.
3. Has the change landed and been verified on ToT?
4. Does this change need to be merged into other active release branches (M-1, M+1)?
5. Why are these changes required in this milestone after branch?
6. Is this a new feature?
7. If it is a new feature, is it behind a flag using finch?

Chrome OS Only:
8. Was the change reviewed and approved by the Eng Prod Representative? See Eng Prod ownership by component: http://go/cros-engprodcomponents

Please contact the milestone owner if you have questions.

Owners: benmason@(Android), bindusuvarna@(iOS), geohsu@(ChromeOS), pbommana@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

[estark via monorail]

Comment #22 on issue 1159077 by est...@chromium.org: Flag expired : allow-insecure-localhost
https://bugs.chromium.org/p/chromium/issues/detail?id=1159077#c22

The original CL https://chromium-review.googlesource.com/c/chromium/src/+/2595514 already landed in M89 so this doesn't need to be merged to 89.

[ps1dba via monorail]

Comment #23 on issue 1159077 by ps1...@gmail.com: Flag expired : allow-insecure-localhost
https://bugs.chromium.org/p/chromium/issues/detail?id=1159077#c23

Dangit

[pbommana via monorail]

Updates:
Labels: -Merge-Review-89 Merge-Rejected-89

Comment #24 on issue 1159077 by pbom...@google.com: Flag expired : allow-insecure-localhost
https://bugs.chromium.org/p/chromium/issues/detail?id=1159077#c24

Rejecting the merge based on comment#22

[davidben via monorail]

Comment #25 on issue 1159077 by davi...@chromium.org: Flag expired : allow-insecure-localhost
https://bugs.chromium.org/p/chromium/issues/detail?id=1159077#c25

> If this is a case, would you say "secure" cookies being blocked on http://localhost is a bug?

See issue #1056543. As of M89, the Secure attribute is fine with http://localhost.

[Git Watcher via monorail]

Comment #26 on issue 1159077 by Git Watcher: Flag expired : allow-insecure-localhost
https://bugs.chromium.org/p/chromium/issues/detail?id=1159077#c26

The following revision refers to this bug:
https://chromium.googlesource.com/chromium/src/+/357c484d3e3a794cf534c68cabb43e5aa419d811

commit 357c484d3e3a794cf534c68cabb43e5aa419d811
Author: Emily Stark <est...@google.com>
Date: Sat Oct 09 01:10:15 2021

Bump --allow-insecure-localhost expiration

People seem to use this flag and we'll probably need to replace it with
something else (e.g. DevTools preference?) before we remove the flag.

Change-Id: I0c6c1e2d23bee35f15d849a38b25fcb9d932ade5
Bug: 1159077
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3215011
Commit-Queue: Emily Stark <est...@chromium.org>
Reviewed-by: Chris Thompson <cth...@chromium.org>
Cr-Commit-Position: refs/heads/main@{#929943}

[modify] https://crrev.com/357c484d3e3a794cf534c68cabb43e5aa419d811/chrome/browser/flag-metadata.json

[estark via monorail]

Updates:
Labels: Merge-Request-96

Comment #27 on issue 1159077 by est...@chromium.org: Flag expired : allow-insecure-localhost
https://bugs.chromium.org/p/chromium/issues/detail?id=1159077#c27

Requesting to merge c26 back to M96

[sheriffbot via monorail]

Updates:
Labels: -Merge-Request-96 Merge-Approved-96 Hotlist-Merge-Approved

Comment #28 on issue 1159077 by sheriffbot: Flag expired : allow-insecure-localhost
https://bugs.chromium.org/p/chromium/issues/detail?id=1159077#c28

Merge approved: your change passed merge requirements and is auto-approved for M96. Please go ahead and merge the CL to branch 4664 (refs/branch-heads/4664) manually. Please contact milestone owner if you have questions.
Merge instructions: https://chromium.googlesource.com/chromium/src.git/+/refs/heads/main/docs/process/merge_request.md
Owners: govind (Android), harrysouders (iOS), dgagnon (ChromeOS), srinivassista (Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

[Git Watcher via monorail]

Updates:
Labels: -merge-approved-96 merge-merged-4664 merge-merged-96

Comment #30 on issue 1159077 by Git Watcher: Flag expired : allow-insecure-localhost
https://bugs.chromium.org/p/chromium/issues/detail?id=1159077#c30

The following revision refers to this bug:

https://chromium.googlesource.com/chromium/src/+/46d84cea3ec9edc65e1c37a6e14bb5d36437a611

commit 46d84cea3ec9edc65e1c37a6e14bb5d36437a611
Author: Emily Stark <est...@google.com>
Date: Mon Oct 11 18:54:03 2021

Bump --allow-insecure-localhost expiration

People seem to use this flag and we'll probably need to replace it with
something else (e.g. DevTools preference?) before we remove the flag.

(cherry picked from commit 357c484d3e3a794cf534c68cabb43e5aa419d811)

Change-Id: I0c6c1e2d23bee35f15d849a38b25fcb9d932ade5
Bug: 1159077
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3215011
Commit-Queue: Emily Stark <est...@chromium.org>
Reviewed-by: Chris Thompson <cth...@chromium.org>

Cr-Original-Commit-Position: refs/heads/main@{#929943}
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3217027
Cr-Commit-Position: refs/branch-heads/4664@{#22}
Cr-Branched-From: 24dc4ee75e01a29d390d43c9c264372a169273a7-refs/heads/main@{#929512}

[modify] https://crrev.com/46d84cea3ec9edc65e1c37a6e14bb5d36437a611/chrome/browser/flag-metadata.json

[estark via monorail]

Updates:
Status: Fixed

Comment #31 on issue 1159077 by est...@chromium.org: Flag expired : allow-insecure-localhost
https://bugs.chromium.org/p/chromium/issues/detail?id=1159077#c31

(No comment was entered for this change.)

[dsmith via monorail]

Comment #32 on issue 1159077 by dsm...@digitalmint.io: Flag expired : allow-insecure-localhost
https://bugs.chromium.org/p/chromium/issues/detail?id=1159077#c32

Is this flag going to removed at some point? My company currently relies on it and would like to know at which point we need to freeze our chrome upgrades.

[cthomp via monorail]

Updates:
Cc: cth...@chromium.org

Comment #33 on issue 1159077 by cth...@chromium.org: Flag expired : allow-insecure-localhost
https://bugs.chromium.org/p/chromium/issues/detail?id=1159077#c33

We would like to be able to remove it, but ideally that would mean that we've addressed all of the issues folks have with plain http://localhost. If you (or anyone else active on this bug) have specific issues you're running into that requires the use of this flag, could you share them here so we can keep track of them and try to prioritize fixing them by default?

To set some expectations, I don't know when we'll have time to fix each edge case, but I don't think we'd want to get rid of this flag until we have an alternative (e.g., more settings in DevTools maybe) or plain-http-localhost has reached parity with https://localhost. Additionally, if there's a venue/mailing list that would be most helpful for announcing this change (when/if we do remove the flag), let me know -- I'd be happy to send an FYI announcement to blink-dev@ or security-dev@ for example.

[ericlaw via monorail]

Comment #34 on issue 1159077 by eri...@microsoft.com: Flag expired : allow-insecure-localhost
https://bugs.chromium.org/p/chromium/issues/detail?id=1159077#c34

This expired in 101. Did an alternative come available?

[cthomp via monorail]

Comment #35 on issue 1159077 by cth...@chromium.org: Flag expired : allow-insecure-localhost
https://bugs.chromium.org/p/chromium/issues/detail?id=1159077#c35

Nope, missed the expiration notice this time. I uploaded https://chromium-review.googlesource.com/c/chromium/src/+/3591247 to bump the expiration again (and hopefully we can merge to M-102 since I missed branch point).

[Git Watcher via monorail]

Comment #36 on issue 1159077 by Git Watcher: Flag expired : allow-insecure-localhost
https://bugs.chromium.org/p/chromium/issues/detail?id=1159077#c36

The following revision refers to this bug:

https://chromium.googlesource.com/chromium/src/+/eac02c7e7a7090bc85d154ed658d65379231f500

commit eac02c7e7a7090bc85d154ed658d65379231f500
Author: Chris Thompson <cth...@chromium.org>
Date: Mon Apr 18 21:51:56 2022

Bump expiration of `allow-insecure-localhost` flag to M110

This flag is still useful for certain edge cases, and we don't yet have
a supported alternative.

Bug: 1159077
Change-Id: I01ae57c58704d6918fcd9f26772dea66e964a45b
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3591247
Commit-Queue: Chris Thompson <cth...@chromium.org>
Quick-Run: Chris Thompson <cth...@chromium.org>
Auto-Submit: Chris Thompson <cth...@chromium.org>
Reviewed-by: Mustafa Emre Acer <mea...@chromium.org>
Commit-Queue: Mustafa Emre Acer <mea...@chromium.org>
Cr-Commit-Position: refs/heads/main@{#993449}

[modify] https://crrev.com/eac02c7e7a7090bc85d154ed658d65379231f500/chrome/browser/flag-metadata.json

[cthomp via monorail]

Updates:
Labels: Merge-Request-102

Comment #37 on issue 1159077 by cth...@chromium.org: Flag expired : allow-insecure-localhost
https://bugs.chromium.org/p/chromium/issues/detail?id=1159077#c37

(No comment was entered for this change.)

[sheriffbot via monorail]

Updates:
Labels: -Merge-Request-102 Merge-Approved-102

Comment #38 on issue 1159077 by sheriffbot: Flag expired : allow-insecure-localhost
https://bugs.chromium.org/p/chromium/issues/detail?id=1159077#c38

Merge approved: your change passed merge requirements and is auto-approved for M102. Please go ahead and merge the CL to branch 5005 (refs/branch-heads/5005) manually. Please contact milestone owner if you have questions.
Merge instructions: https://chromium.googlesource.com/chromium/src.git/+/refs/heads/main/docs/process/merge_request.md
Owners: eakpobaro (Android), harrysouders (iOS), ceb (ChromeOS), srinivassista (Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

[Git Watcher via monorail]

Updates:
Labels: -merge-approved-102 merge-merged-5005 merge-merged-102

Comment #39 on issue 1159077 by Git Watcher: Flag expired : allow-insecure-localhost
https://bugs.chromium.org/p/chromium/issues/detail?id=1159077#c39

The following revision refers to this bug:

https://chromium.googlesource.com/chromium/src/+/6b940e35d11f4a389fd2c86b15c6d2f09b971d24

commit 6b940e35d11f4a389fd2c86b15c6d2f09b971d24
Author: Chris Thompson <cth...@chromium.org>
Date: Tue Apr 19 23:55:56 2022

[M102] Bump expiration of `allow-insecure-localhost` flag to M110

This flag is still useful for certain edge cases, and we don't yet have
a supported alternative.

(cherry picked from commit eac02c7e7a7090bc85d154ed658d65379231f500)

Bug: 1159077
Change-Id: I01ae57c58704d6918fcd9f26772dea66e964a45b
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3591247
Commit-Queue: Chris Thompson <cth...@chromium.org>
Quick-Run: Chris Thompson <cth...@chromium.org>
Auto-Submit: Chris Thompson <cth...@chromium.org>
Reviewed-by: Mustafa Emre Acer <mea...@chromium.org>
Commit-Queue: Mustafa Emre Acer <mea...@chromium.org>

Cr-Original-Commit-Position: refs/heads/main@{#993449}
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3595143
Commit-Queue: Rubber Stamper <rubber-...@appspot.gserviceaccount.com>
Bot-Commit: Rubber Stamper <rubber-...@appspot.gserviceaccount.com>
Cr-Commit-Position: refs/branch-heads/5005@{#40}
Cr-Branched-From: 5b4d9450fee01f821b6400e947b3839727643a71-refs/heads/main@{#992738}

[modify] https://crrev.com/6b940e35d11f4a389fd2c86b15c6d2f09b971d24/chrome/browser/flag-metadata.json

[iits.venkat via monorail]

Comment #40 on issue 1159077 by iits....@gmail.com: Flag expired : allow-insecure-localhost
https://bugs.chromium.org/p/chromium/issues/detail?id=1159077#c40

Hi We need this flag very badly, any chance of keeping it back? more than a million users depends on this flags to run their application. Please keep this flag enabled.