Exclude localhost from HTTPS upgrades

[ericlaw1979]

What is the issue with the Fetch Standard?

http://localhost is already a potentially trustworthy URL. Upgrade-insecure-requests already skips localhost, and HSTS should too. Otherwise, problems occur when a web developer self-hosts multiple services on localhost, or if an end-user attempts to use any of many software packages that use ephemeral localhost web servers.

Currently, https://fetch.spec.whatwg.org/#concept-main-fetch includes:

Set request’s current URL’s scheme to "https" if all of the following conditions are true:

request’s current URL’s scheme is "http"
request’s current URL’s host is a domain
Matching request’s current URL’s host per Known HSTS Host Domain Name Matching results in either a superdomain match with an asserted includeSubDomains directive or a congruent match (with or without an asserted includeSubDomains directive) [HSTS]; or DNS resolution for the request finds a matching HTTPS RR per section 9.5 of [SVCB]. [HSTS] [SVCB]

I propose we add an additional restriction clause:

request’s current URL’s host’s public suffix is not " localhost " or " localhost. "