We have a number of open bugs about localhost and whether or not it is secure: bug 171934 (Don't treat loopback addresses (127.0.0.0/8, ::1/128, localhost, .localhost) as mixed content), bug 218980 (Treat loopback addresses (127.0.0.0/8, ::1/128, localhost, .localhost) as potentially trustworthy URL), and bug 232088 (Unable to set secure+httpOnly cookie for localhost in Safari from Node JS). As it stands, window.isSecureOrigin is true, but you can't set secure cookies, and nor load mixed secure content. For example: https://github.com/WebKit/WebKit/blob/b50ab39c922f4afcc0b894736c29846f1f50d065/Source/WebCore/page/SecurityOrigin.cpp#L89-L105 makes localhost "potentially trustworthy" https://github.com/WebKit/WebKit/blob/f5955e181acaa5aacc1c6c573a92697d661d6926/Source/WebCore/loader/MixedContentChecker.cpp#L51-L60 makes localhost insecure (unless loaded over HTTPS) https://github.com/WebKit/WebKit/blob/f5955e181acaa5aacc1c6c573a92697d661d6926/Source/WebCore/loader/CookieJar.cpp#L62-L65 makes Secure cookies only work with HTTPS. Regardless of whether we want localhost to be secure or not (which I think is to some extent blocked on bug 250607?), we should at least be consistent as to whether or not it is secure.