Hacker News new | past | comments | ask | show | jobs | submit login

AFAIK http://localhost is treated the same as https://localhost so you shouldn't need a self signed certificate.



https://localhost doesn't work without a self-signed certificate...


Sure, but you can use http://localhost, and it will be treated as a secure origin


Some Oauth providers require https (even for localhost), and if I'm using WebAuthn, I have to have a certificate.


But what would WebAuthn for localhost even mean ?

The credentials in WebAuthn are bound to an FQDN (typically the name of the web server but e.g. news.ycombinator.com would be entitled to ask for WebAuthn credentials for ycombinator.com) so it's not as though this is irrelevant.

I can imagine a few dozen extra lines defining a special allowance for localhost in the WebAuthn spec., but then you're also building a bunch of special backend code to handle that too and for what?

I built a toy WebAuthn implementation to understand it better, but I did it on my vanity site, and I don't feel like it would really have been easier without.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: