Issue 1159077 in chromium: Flag expired : allow-insecure-localhost

[wormssmail via monorail]

Comment #17 on issue 1159077 by worms...@gmail.com: Flag expired : allow-insecure-localhost
https://bugs.chromium.org/p/chromium/issues/detail?id=1159077#c17

> In most cases, http://localhost behaves like https and developing on https://localhost shouldn't be needed

If this is a case, would you say "secure" cookies being blocked on http://localhost is a bug?
document.cookie = 'foo=baz; .....; secure''

This works on the production environment but fails on http://localhost. Should a different issue ticket be opened for this?

--
You received this message because:
1. You were specifically CC'd on the issue

You may adjust your notification preferences at:
https://bugs.chromium.org/hosting/settings

Reply to this email to add a comment or make updates.

[henri.cook via monorail]

Comment #18 on issue 1159077 by henri...@gmail.com: Flag expired : allow-insecure-localhost
https://bugs.chromium.org/p/chromium/issues/detail?id=1159077#c18

TBH I knew there was a good reason we developed with https on localhost, but I hadn't yet found the time to go into it to dispute this. This is one of them.

[govind via monorail]

Updates:
Cc: pbom...@chromium.org benm...@chromium.org sriniv...@chromium.org
Labels: -Merge-Approved-88 merge-merged-4324 merge-merged-M88

Comment #19 on issue 1159077 by gov...@google.com: Flag expired : allow-insecure-localhost
https://bugs.chromium.org/p/chromium/issues/detail?id=1159077#c19

This is already merged to M88 - https://chromium-review.googlesource.com/c/chromium/src/+/2642863.

estark@, please request a merge to M89 branch 4389 ASAP if this needs a merge to M89 as well. Thank you.

[srinivassista via monorail]

Updates:
Labels: Merge-Request-89

Comment #20 on issue 1159077 by sriniv...@google.com: Flag expired : allow-insecure-localhost
https://bugs.chromium.org/p/chromium/issues/detail?id=1159077#c20

Yes it is needed for M89 as well so we dont remove it again, i have added the label

[sheriffbot via monorail]

Updates:
Labels: -Merge-Request-89 Merge-Review-89

Comment #21 on issue 1159077 by sheriffbot: Flag expired : allow-insecure-localhost
https://bugs.chromium.org/p/chromium/issues/detail?id=1159077#c21

This bug requires manual review: M89's targeted beta branch promotion date has already passed, so this requires manual review
Before a merge request will be considered, the following information is required to be added to this bug:

1. Does your merge fit within the Merge Decision Guidelines?
- Chrome: https://chromium.googlesource.com/chromium/src.git/+/master/docs/process/merge_request.md#when-to-request-a-merge
- Chrome OS: https://goto.google.com/cros-release-branch-merge-guidelines
2. Links to the CLs you are requesting to merge.
3. Has the change landed and been verified on ToT?
4. Does this change need to be merged into other active release branches (M-1, M+1)?
5. Why are these changes required in this milestone after branch?
6. Is this a new feature?
7. If it is a new feature, is it behind a flag using finch?

Chrome OS Only:
8. Was the change reviewed and approved by the Eng Prod Representative? See Eng Prod ownership by component: http://go/cros-engprodcomponents

Please contact the milestone owner if you have questions.
Owners: benmason@(Android), bindusuvarna@(iOS), geohsu@(ChromeOS), pbommana@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

[estark via monorail]

Comment #22 on issue 1159077 by est...@chromium.org: Flag expired : allow-insecure-localhost
https://bugs.chromium.org/p/chromium/issues/detail?id=1159077#c22

The original CL https://chromium-review.googlesource.com/c/chromium/src/+/2595514 already landed in M89 so this doesn't need to be merged to 89.

[ps1dba via monorail]

Comment #23 on issue 1159077 by ps1...@gmail.com: Flag expired : allow-insecure-localhost
https://bugs.chromium.org/p/chromium/issues/detail?id=1159077#c23

Dangit

[pbommana via monorail]

Updates:
Labels: -Merge-Review-89 Merge-Rejected-89

Comment #24 on issue 1159077 by pbom...@google.com: Flag expired : allow-insecure-localhost
https://bugs.chromium.org/p/chromium/issues/detail?id=1159077#c24

Rejecting the merge based on comment#22

[davidben via monorail]

Comment #25 on issue 1159077 by davi...@chromium.org: Flag expired : allow-insecure-localhost
https://bugs.chromium.org/p/chromium/issues/detail?id=1159077#c25

> If this is a case, would you say "secure" cookies being blocked on http://localhost is a bug?

See issue #1056543. As of M89, the Secure attribute is fine with http://localhost.

[estark via monorail]

Updates:
Labels: Merge-Request-96

Comment #27 on issue 1159077 by est...@chromium.org: Flag expired : allow-insecure-localhost
https://bugs.chromium.org/p/chromium/issues/detail?id=1159077#c27

Requesting to merge c26 back to M96

[Git Watcher via monorail]

Comment #26 on issue 1159077 by Git Watcher: Flag expired : allow-insecure-localhost
https://bugs.chromium.org/p/chromium/issues/detail?id=1159077#c26

The following revision refers to this bug:
https://chromium.googlesource.com/chromium/src/+/357c484d3e3a794cf534c68cabb43e5aa419d811

commit 357c484d3e3a794cf534c68cabb43e5aa419d811
Author: Emily Stark <est...@google.com>
Date: Sat Oct 09 01:10:15 2021

Bump --allow-insecure-localhost expiration

People seem to use this flag and we'll probably need to replace it with
something else (e.g. DevTools preference?) before we remove the flag.

Change-Id: I0c6c1e2d23bee35f15d849a38b25fcb9d932ade5
Bug: 1159077
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3215011
Commit-Queue: Emily Stark <est...@chromium.org>
Reviewed-by: Chris Thompson <cth...@chromium.org>
Cr-Commit-Position: refs/heads/main@{#929943}

[modify] https://crrev.com/357c484d3e3a794cf534c68cabb43e5aa419d811/chrome/browser/flag-metadata.json

[sheriffbot via monorail]

Updates:
Labels: -Merge-Request-96 Merge-Approved-96 Hotlist-Merge-Approved

Comment #28 on issue 1159077 by sheriffbot: Flag expired : allow-insecure-localhost
https://bugs.chromium.org/p/chromium/issues/detail?id=1159077#c28

Merge approved: your change passed merge requirements and is auto-approved for M96. Please go ahead and merge the CL to branch 4664 (refs/branch-heads/4664) manually. Please contact milestone owner if you have questions.
Merge instructions: https://chromium.googlesource.com/chromium/src.git/+/refs/heads/main/docs/process/merge_request.md
Owners: govind (Android), harrysouders (iOS), dgagnon (ChromeOS), srinivassista (Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

[Git Watcher via monorail]

Updates:
Labels: -merge-approved-96 merge-merged-4664 merge-merged-96

Comment #30 on issue 1159077 by Git Watcher: Flag expired : allow-insecure-localhost
https://bugs.chromium.org/p/chromium/issues/detail?id=1159077#c30

The following revision refers to this bug:

https://chromium.googlesource.com/chromium/src/+/46d84cea3ec9edc65e1c37a6e14bb5d36437a611

commit 46d84cea3ec9edc65e1c37a6e14bb5d36437a611
Author: Emily Stark <est...@google.com>
Date: Mon Oct 11 18:54:03 2021

Bump --allow-insecure-localhost expiration

People seem to use this flag and we'll probably need to replace it with
something else (e.g. DevTools preference?) before we remove the flag.

(cherry picked from commit 357c484d3e3a794cf534c68cabb43e5aa419d811)

Change-Id: I0c6c1e2d23bee35f15d849a38b25fcb9d932ade5
Bug: 1159077
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3215011
Commit-Queue: Emily Stark <est...@chromium.org>
Reviewed-by: Chris Thompson <cth...@chromium.org>

Cr-Original-Commit-Position: refs/heads/main@{#929943}
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3217027
Cr-Commit-Position: refs/branch-heads/4664@{#22}
Cr-Branched-From: 24dc4ee75e01a29d390d43c9c264372a169273a7-refs/heads/main@{#929512}

[modify] https://crrev.com/46d84cea3ec9edc65e1c37a6e14bb5d36437a611/chrome/browser/flag-metadata.json

[estark via monorail]

Updates:
Status: Fixed

Comment #31 on issue 1159077 by est...@chromium.org: Flag expired : allow-insecure-localhost
https://bugs.chromium.org/p/chromium/issues/detail?id=1159077#c31

(No comment was entered for this change.)

[dsmith via monorail]

Comment #32 on issue 1159077 by dsm...@digitalmint.io: Flag expired : allow-insecure-localhost
https://bugs.chromium.org/p/chromium/issues/detail?id=1159077#c32

Is this flag going to removed at some point? My company currently relies on it and would like to know at which point we need to freeze our chrome upgrades.

[cthomp via monorail]

Updates:
Cc: cth...@chromium.org

Comment #33 on issue 1159077 by cth...@chromium.org: Flag expired : allow-insecure-localhost
https://bugs.chromium.org/p/chromium/issues/detail?id=1159077#c33

We would like to be able to remove it, but ideally that would mean that we've addressed all of the issues folks have with plain http://localhost. If you (or anyone else active on this bug) have specific issues you're running into that requires the use of this flag, could you share them here so we can keep track of them and try to prioritize fixing them by default?

To set some expectations, I don't know when we'll have time to fix each edge case, but I don't think we'd want to get rid of this flag until we have an alternative (e.g., more settings in DevTools maybe) or plain-http-localhost has reached parity with https://localhost. Additionally, if there's a venue/mailing list that would be most helpful for announcing this change (when/if we do remove the flag), let me know -- I'd be happy to send an FYI announcement to blink-dev@ or security-dev@ for example.

[ericlaw via monorail]

Comment #34 on issue 1159077 by eri...@microsoft.com: Flag expired : allow-insecure-localhost
https://bugs.chromium.org/p/chromium/issues/detail?id=1159077#c34

This expired in 101. Did an alternative come available?

[cthomp via monorail]

Comment #35 on issue 1159077 by cth...@chromium.org: Flag expired : allow-insecure-localhost
https://bugs.chromium.org/p/chromium/issues/detail?id=1159077#c35

Nope, missed the expiration notice this time. I uploaded https://chromium-review.googlesource.com/c/chromium/src/+/3591247 to bump the expiration again (and hopefully we can merge to M-102 since I missed branch point).

[Git Watcher via monorail]

Comment #36 on issue 1159077 by Git Watcher: Flag expired : allow-insecure-localhost
https://bugs.chromium.org/p/chromium/issues/detail?id=1159077#c36

The following revision refers to this bug:

https://chromium.googlesource.com/chromium/src/+/eac02c7e7a7090bc85d154ed658d65379231f500

commit eac02c7e7a7090bc85d154ed658d65379231f500
Author: Chris Thompson <cth...@chromium.org>
Date: Mon Apr 18 21:51:56 2022

Bump expiration of `allow-insecure-localhost` flag to M110

This flag is still useful for certain edge cases, and we don't yet have
a supported alternative.

Bug: 1159077
Change-Id: I01ae57c58704d6918fcd9f26772dea66e964a45b
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3591247
Commit-Queue: Chris Thompson <cth...@chromium.org>
Quick-Run: Chris Thompson <cth...@chromium.org>
Auto-Submit: Chris Thompson <cth...@chromium.org>
Reviewed-by: Mustafa Emre Acer <mea...@chromium.org>
Commit-Queue: Mustafa Emre Acer <mea...@chromium.org>
Cr-Commit-Position: refs/heads/main@{#993449}

[modify] https://crrev.com/eac02c7e7a7090bc85d154ed658d65379231f500/chrome/browser/flag-metadata.json

[cthomp via monorail]

Updates:
Labels: Merge-Request-102

Comment #37 on issue 1159077 by cth...@chromium.org: Flag expired : allow-insecure-localhost
https://bugs.chromium.org/p/chromium/issues/detail?id=1159077#c37

(No comment was entered for this change.)

[sheriffbot via monorail]

Updates:
Labels: -Merge-Request-102 Merge-Approved-102

Comment #38 on issue 1159077 by sheriffbot: Flag expired : allow-insecure-localhost
https://bugs.chromium.org/p/chromium/issues/detail?id=1159077#c38

Merge approved: your change passed merge requirements and is auto-approved for M102. Please go ahead and merge the CL to branch 5005 (refs/branch-heads/5005) manually. Please contact milestone owner if you have questions.
Merge instructions: https://chromium.googlesource.com/chromium/src.git/+/refs/heads/main/docs/process/merge_request.md
Owners: eakpobaro (Android), harrysouders (iOS), ceb (ChromeOS), srinivassista (Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

[Git Watcher via monorail]

Updates:
Labels: -merge-approved-102 merge-merged-5005 merge-merged-102

Comment #39 on issue 1159077 by Git Watcher: Flag expired : allow-insecure-localhost
https://bugs.chromium.org/p/chromium/issues/detail?id=1159077#c39

The following revision refers to this bug:

https://chromium.googlesource.com/chromium/src/+/6b940e35d11f4a389fd2c86b15c6d2f09b971d24

commit 6b940e35d11f4a389fd2c86b15c6d2f09b971d24
Author: Chris Thompson <cth...@chromium.org>
Date: Tue Apr 19 23:55:56 2022

[M102] Bump expiration of `allow-insecure-localhost` flag to M110

This flag is still useful for certain edge cases, and we don't yet have
a supported alternative.

(cherry picked from commit eac02c7e7a7090bc85d154ed658d65379231f500)

Bug: 1159077
Change-Id: I01ae57c58704d6918fcd9f26772dea66e964a45b
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3591247
Commit-Queue: Chris Thompson <cth...@chromium.org>
Quick-Run: Chris Thompson <cth...@chromium.org>
Auto-Submit: Chris Thompson <cth...@chromium.org>
Reviewed-by: Mustafa Emre Acer <mea...@chromium.org>
Commit-Queue: Mustafa Emre Acer <mea...@chromium.org>

Cr-Original-Commit-Position: refs/heads/main@{#993449}
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3595143
Commit-Queue: Rubber Stamper <rubber-...@appspot.gserviceaccount.com>
Bot-Commit: Rubber Stamper <rubber-...@appspot.gserviceaccount.com>
Cr-Commit-Position: refs/branch-heads/5005@{#40}
Cr-Branched-From: 5b4d9450fee01f821b6400e947b3839727643a71-refs/heads/main@{#992738}

[modify] https://crrev.com/6b940e35d11f4a389fd2c86b15c6d2f09b971d24/chrome/browser/flag-metadata.json