flag: allow-insecure-localhost going away?
1,712 views
Skip to first unread message
Anuj Goyal
Aug 19, 2019, 8:00:31 PM8/19/19
to securi...@chromium.org, Brandon Heenan, Julian Pastarmov, Owen Min, Yann Dago
Security Team,
I think a lot of customers are still using this flag.
See this post on the Enterprise forum
Who is the PM/TL that built this? it might be useful to have the context before we remove it so that we can write it up in our release notes.
-Anuj
PM: Chrome Browser Enterprise
Brandon Heenan
Aug 20, 2019, 11:53:35 AM8/20/19
to Anuj Goyal, securi...@chromium.org, Julian Pastarmov, Owen Min, Yann Dago
I made some comments in the flag expiry design doc suggesting that a good mitigation for this case would be to add a policy to replace the functionality of the flag. We should do that if we believe there's a real need for enterprises to switch on this behavior
Christopher Thompson
Aug 26, 2019, 12:38:33 PM8/26/19
to Brandon Heenan, Anuj Goyal, securi...@chromium.org, Julian Pastarmov, Owen Min, Yann Dago
Hi all --
I've uploaded a CL to bump the expiration on the allow-insecure-localhost and unsafely-treat-insecure-origin-as-secure, so these will still be available from chrome://flags in M-78+. We may revisit these flags in the future, but we don't currently have plans to remove them.
If there are specific enterprise use cases for the allow-insecure-localhost flag, that might be good to know as well for making longer term plans (the linked Enterprise forum thread doesn't have any useful information in it).
- Chris
Brandon Heenan
Sep 3, 2019, 12:51:32 PM9/3/19
to Christopher Thompson, Anuj Goyal, securi...@chromium.org, Julian Pastarmov, Owen Min, Yann Dago
I think it's a development use case, to allow people to run/test https sites they're building locally. Is there a better / another way of accomplishing that use case?
Reply all
Reply to author
Forward
0 new messages