Unable to connect to localhost, potentially due to HSTS

[nzbart]

trafficstars

Setup

Browser: Firefox Editor: Vim

Description

I am a developer, and have a website that I run on localhost that configures HSTS for localhost so that it is the same as production. This can sometimes cause problems because the browser will automatically connect over HTTPS instead of HTTP.

The same problem occurs in Chrome and Firefox, but Chrome has a setting called HSTSPolicyBypassList that allows me to prevent the HSTS header from being respected for localhost. Firefox does not have a similar setting. Since Firefox is my preferred browser, I would like to get it working there as well.

When I debug the extension, I see the following error in the console:

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://localhost:4001/. (Reason: CORS request did not succeed). Status code: (null).

I think the CORS header error may be a red herring.

Since, by inspecting the code, it appears that the extensions would actually connect to http://localhost:4001/, I am fairly sure that the problem is the same as I worked around in Chrome. Note that I can visit http://localhost:4001/ in a normal Firefox tab and it is not redirected to HTTPS.

My question to you is how you think I could best deal with this. Should I submit a PR to allow the server name (localhost) to be configurable? Can you think of any other ways around the problem?

[fregante]

Hello, thanks for the report. You can try to replace localhost with another address (in the js files and manifest.json), build it and run it locally, it's possible that the editor extension will still accept the connection.

If that works, you could add an option to pick the host (which needs optional_permissions in the manifest and browser.permissions.request() I think before trying to connect)

[bartecargo]

@fregante thanks for getting back to me. I'll see if I can get that working sometime over the next couple of weeks.