Changes to SameSite Cookie Behavior – A Call to Action for Web Developers

[blickentwapft]

Please browser developers just make it easy to switch requirements for HTTPS off during development.

There’s any number of circumstances in which my development machines don’t have HTTPS.

[VWWHFSfQ]

This is so annoying. Our app requires HTTPS when not in debug mode. If you run the app locally and accidentally forget to turn on debugging then it will try to redirect to HTTPS. Firefox sees this and then from then on tries to force HTTPS, even after you've restarted the app with debugging. And now you simply can't access the non-HTTPS local site and I have no idea how to make Firefox forget about the HTTPS redirect. Infuriating.

[danielhlockard]

Clear it from your HSTS cache, I bet you're setting that in the app when https is hit.

[VWWHFSfQ]

It's not HSTS. I've tried multiple methods to clear localhost from Firefox HSTS cache and it's not in there. But it still forces the HTTPS redirect.

[iggldiggl]

301 cache then?

[marksomnian]

With Chrome you can go to chrome://flags, find “unsafely treat insecure origins as secure”, and allowlist your dev server.

[joewrong]

This may help https://github.com/FiloSottile/mkcert

[Nextgrid]

Maybe there just needs to be better tooling around generating certificates or the "invalid certificate" warning should be toned down.

[Avamander]

Set up local nginx reverse proxy, test and develop in production-like environment. It's really not hard.