Can Firefox 76 be forced to consider .localhost subdomains as Secure Context without tls?

Question

We are using .localhost domains for development of our applications, and we have multiple applications living at different domains. We are at point where we need to test features requiring pages to execute in Secure Context, i.e. Service Workers and Push API.

Google Chrome for a past few versions has been marking all sites coming from .localhost domain as Secure Context, allowing local, hassle-free testing of Service Workers, Push API, etc.

I cannot find a way to force Firefox 76 to consider same pages being from Secure Context.

We have managed to resolve all .localhost addresses correctly to 127.0.0.1 in all browsers using local dns-resolver settings or built-in browser behaviours.

Firefox config entry network.dns.localDomains does not seem to affect if site is considered to be in Secure Context.

There seems to be some kind of FF internal development to change that behaviour out-of-the box, but it's hard to say when it will be merged and released, and if all pages in *.localhost will be considered Secure Context for sure:
https://bugzilla.mozilla.org/show_bug.cgi?id=1220810

Answer 1

As of Firefox 84, localhost is considered a secure context. Before that, it wasn't because it's not guaranteed that localhost will in fact resolve to a local (and therefore trusted) address.

However, the preference dom.securecontext.allowlist (dom.securecontext.whitelist before Firefox 97) has been created specifically with this scenario in mind, and it takes a list of hosts (for example, host1.example.com,host2.example.net) that will be considered secure.

This preference does not seem to be well-documented, but it can be seen in this changeset: https://hg.mozilla.org/mozilla-central/rev/cfb9de0c9f2a.