284559 2024-12-12 08:42:22 -0800 Safari 18.2 non-secure site connections warning blocks localhost with no option to proceed 2026-06-04 15:28:10 -0700 1 1 1 Unclassified WebKit Page Loading Safari 18 Mac (Apple Silicon) Unspecified RESOLVED FIXED https://bugs.webkit.org/show_bug.cgi?id=284834 InRadar P2 Normal --- 1 opendarwin m_finkel beidson fredrickbishop14 karlcow martijn m_finkel mohit.n webkit-bug-importer wilander oldest_to_newest 2081217 0 473554 opendarwin 2024-12-12 08:42:22 -0800 Created attachment 473554 Sample html to reproduce the bug Steps to reproduce: 1) Open Safari 18.2 2) In Safari Security Settings, enable "Warn before connecting to a website over HTTP" 3) Download the attached index.html file 4) In Terminal, cd ~/Downloads; /usr/bin/python3 -m http.server 5) In Terminal, open -a Safari 'http://localhost:8000' Expected results: "This Connection Is Not Secure" warning, with options to Continue or Go Back Actual results: Safari can't open the page "http://localhost:8000/". The error is: "Navigation failed because the request was for an HTTP URL with HTTPS-Only enabled" (WebKitErrorDomain:305) Notes: This is the new Safari 18.2 feature described at https://webkit.org/blog/16301/webkit-features-in-safari-18-2/#security-and-privacy 2081971 1 webkit-bug-importer 2024-12-15 23:23:40 -0800 <rdar://problem/141532147> 2097899 3 wilander 2025-02-25 12:39:14 -0800 Hi! Thanks for filing! Can you manually enter 'http://localhost:8000' in the URL bar, including the scheme http://, and then load the page? 2098010 4 opendarwin 2025-02-25 15:37:10 -0800 (In reply to John Wilander from comment #3) > Hi! Thanks for filing! > > Can you manually enter 'http://localhost:8000' in the URL bar, including the > scheme http://, and then load the page? Yes. 2098013 5 wilander 2025-02-25 16:00:33 -0800 OK, so then there's at least a workaround for now. Thanks! 2098833 6 wilander 2025-02-27 10:49:37 -0800 Note that that is a deliberate thing. Explicitly stating a plaintext scheme should allow loading it. 2122099 7 martijn 2025-06-06 00:31:32 -0700 To add to this. Somehow, on one of my machines (Safari 18.5), localhost got in a state where it won't load in Safari anymore: Safari can't open the page "http://localhost:3000/". The error is: "Navigation failed because the request was for an HTTP URL with HTTPS-Only enabled" (WebKitErrorDomain:305) This happened consistently when I typed "L" in the address bar and confirmed the autocomplete. Now since I typed the full address, also with http:// it worked, and the problem disappeared for autocomplete, too. However, as with the original bug report, when following a http://localhost:3000/ link, it still blocks. Removing website data for localhost doesn't accomplish anything for this problem (this is a common suggestion on the web) and apparently there's no way (anymore) to remove the HSTS cache for Safari - if that's even relevant. So far, this is probably exactly the same as the original post. What I did notice is that when I close the tab presenting the error, and then Cmd+Z to reopen the tab, it always loads. I would expect: - this blocking to never happen for localhost - that there is a documented way to break through the blockade (permanently) 2212197 8 m_finkel 2026-05-19 15:01:22 -0700 Pull request: https://github.com/WebKit/WebKit/pull/65222 2217765 9 ews-feeder 2026-06-04 15:28:08 -0700 Committed 314584@main (f219b0a165b6): <https://commits.webkit.org/314584@main> Reviewed commits have been landed. Closing PR #65222 and removing active labels. 473554 2024-12-12 08:42:22 -0800 2024-12-12 08:42:22 -0800 Sample html to reproduce the bug index.html text/html 113 opendarwin PCFET0NUWVBFIGh0bWw+CjxodG1sPgo8aGVhZD4KPHRpdGxlPmxvY2FsaG9zdCBidWc8L3RpdGxl Pgo8L2hlYWQ+Cjxib2R5Pgo8aDE+bG9jYWxob3N0IGJ1ZzwvaDE+CjwvYm9keT4KPC9odG1sPgo=