How to permanently exclude localhost from HSTS list in Google Chrome

为君一笑 提交于 2019-12-18 03:04:46

问题


This is a followup question to Google Chrome redirecting localhost to https.

Does anyone know, how to permanently exclude localhost from HSTS list in Google Chrome?

Or, any other elegant solution that wouldn't require developer to visit chrome://net-internals/#hsts and delete localhost every time when switching from working on an HTTPS project to a different project on HTTP?


回答1:


Update:

You can install a proper SSL certificate for those domains if you want to for free, so you won't need to mess around with HSTS. Take a look here.


You may edit your system's hosts file:

  • On Windows: C:\Windows\System32\drivers\etc\hosts
  • On Linux: /ets/hosts

In there you can define a different domain for each project:

 127.0.0.1    project1.local
 127.0.0.1    project2.local
 127.0.0.1    projectN.local

Note: I'm using *.local domains (you can use virtually anything) because you have already set localhost to redirect to https, and such we have to use a different domain. Although I strongly recommend you to install a real SSL certificate and reset to default any modifications you have made on HSTS.

Once saved, when you navigate to those domain in any browser it will load from 127.0.0.1 (localhost). If you use apache/nginx as server you optionally can define VirtualHosts for each domain also so you don't need to change your httpd folder every time you switch projects.

Then of course you will have to re-issue any certificate that you may have for those projects for the new domains, but those would be unique for each project. And on Chrome you would not need to be messing net-internals more than once for each domain for the projects which you don't have a certificate (and 0 times for those with certificate).




回答2:


You can follow the solution here.

When Google Chrome keeps redirecting your localhost Url from http://localhost to https://localhost, do the following:

  1. Open the Developer Tools panel (CTRL+SHIFT+I)
  2. Click and hold the reload icon
  3. A menu will open
  4. Choose the 3rd option from this menu (“Empty Cache and Hard Reload”)



回答3:


Not a permanent fix (security issue can be involved)

I found a "fix". Something interesting, but cannot be a permanent fix because it can cause multiple security issues.

Here's what I did:

  1. Open Google Chrome
  2. In the Search Bar type chrome://flags/#allow-insecure-localhost
  3. Enabled Allow invalid certificates for resources loaded from localhost.

If you reload your application, the warning should be gone.

PS I did that because I needed to recreate a certification but didn't have the time. That's why I did that. I'll turn off this when my certification will work locally.




回答4:


Chrome 78 supports a policy called HSTSPolicyBypassList. You can list "localhost" as a domain to bypass HSTS. To configure Chrome policy on Linux, just create a file at /etc/opt/chrome/policies/managed/policies.json with the following content:

{
    "HSTSPolicyBypassList": [
        "localhost"
        ]
}

You can see the policies loaded by Chrome, typing chrome://policy/ at address bar.



来源:https://stackoverflow.com/questions/38968510/how-to-permanently-exclude-localhost-from-hsts-list-in-google-chrome

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!