It is a major concern - one of the things driving our focus on getting the electron / desktop out to fix the problem - which came out yesterday and makes that terrible warning disappear - allowing your users to authenticate directly from localhost to whatever internet authentication providers they want is one of the few situations where reverse proxying can't work (it's a man in the middle attack). If you could set up reverse proxies that allowed you to, for example, sign in to your google account or other oauth provider from port 80 and it did all the https for you, the internet would be in big trouble. It's one of the big reasons driving the popularity of stuff like electron IMO - it allows you to hide all the browser generated warnings that come with running https on localhost (which you really want to do for security reasons anyway) and it's one of our major and main motivations for choosing electron as our primary desktop package.
No comments yet.