36

Suddenly Google Chrome redirects my virtual-host domain myapplication.dev to https://myapplication.dev. I already tried to go to

chrome://net-internals/#hsts

And enter myapplication.dev into the textbox at the very bottom "Delete domain security policies" but this had no effect.

I also tried to delete the browser data.

What I also did is to change the v-host to .app instead of .dev but Chrome still redirected me to https:// ...

It's a Laravel application running on Laragon. On other PCs in the same network, it works perfectly.

Mohammed Zayan
  • 859
  • 11
  • 20
Mathis
  • 501
  • 1
  • 5
  • 9
  • For mac users using Valet, you can do `valet secure projectname` to begin using secured connections, thus allowing it to work with chrome. – BizzyBob Dec 20 '17 at 05:51
  • The problem is explained here https://stackoverflow.com/questions/49508357/why-laravel-redirects-to-https-even-in-local-environment/49508409#49508409 – Tai Ho Oct 11 '18 at 04:13
  • This is also a problem with machines called dev, `http://dev/demo` – Jason Honingford Jul 25 '19 at 20:29

7 Answers7

52

There is no way to prevent Chrome (>= 63) form using https on .dev domain names.
Google now owns the official .dev tld and has already stated that they will not remove this functionality.

The recommendation is to use another tld for development purposes, such as .localhost or .test.

More information about this update can be found in this article by Mattias Geniar.

Jerodev
  • 32,252
  • 11
  • 87
  • 108
  • 2
    It would be nice if you can provide a link where to dig into it. – Gerson E. Aguirre Dec 14 '17 at 17:42
  • I added a link to an article that I thought gives the best explanation. – Jerodev Dec 20 '17 at 09:39
  • 1
    Google own this tld on what's call the internet, now they act like thye have the upperhand on all networks. And messing with ones where the www DNS convention has no legitimacy. – challet Dec 21 '17 at 12:13
  • 3
    Hello Firefox, my old friend. – mraaroncruz Mar 08 '18 at 10:25
  • 1
    But! Don't use .localhost if you're using a local server that's not actually on the localhost IP address (e.g. I had a Vagrant machine set up as something.localhost using the hostsupdater plugin) as [Chrome also redirects that to the loopback address regardless of your DNS settings](https://stackoverflow.com/a/30645489/300836)! – Matt Gibson Mar 31 '18 at 09:19
  • 4
    Firefox does this now too for .dev domains so say goodbye to that old friend I guess :-) – Barry Pollard Apr 11 '18 at 18:06
  • This is done by both chrome and firefox. That means firefox also owns by Google? – I am the Most Stupid Person Jun 04 '18 at 09:13
  • It is recommended to use HTTPS even for develop environments https://youtu.be/kBkX30Cj7Bw?t=1835 – Kanabos May 01 '20 at 22:07
7

For Firefox: you can disable the property network.stricttransportsecurity.preloadlist by visiting the address : about:config .

For IE it seems to be still working .

For Chrome, there is no solution, I think it's hardcoded in the source code.

See that article : How to prevent Firefox and Chrome from forcing dev and foo domains to use https

Mehdi
  • 1,340
  • 15
  • 23
6

This problem can't be fixed. Below is the reason:

  1. Google owns .dev gTLD
  2. Chrome forces HTTP to HTTPS on .dev domain directly within the source code.

From the 2nd link below:

...
// eTLDs
// At the moment, this only includes Google-owned gTLDs,
// but other gTLDs and eTLDs are welcome to preload if they are interested.
{ "name": "google", "include_subdomains": true, "mode": "force-https", "pins": "google" },
{ "name": "dev", "include_subdomains": true, "mode": "force-https" },
{ "name": "foo", "include_subdomains": true, "mode": "force-https" },
{ "name": "page", "include_subdomains": true, "mode": "force-https" },
{ "name": "app", "include_subdomains": true, "mode": "force-https" },
{ "name": "chrome", "include_subdomains": true, "mode": "force-https" },
...

References

slm
  • 15,396
  • 12
  • 109
  • 124
terry zhang
  • 189
  • 2
  • 3
5

Check that link

https://laravel-news.com/chrome-63-now-forces-dev-domains-https

Based on this article by Danny Wahl he recommends you use one of the following: “.localhost”, “.invalid”, “.test”, or “.example”.

larsbadke
  • 329
  • 1
  • 3
5

Chrome 63 forces .dev domains to HTTPS via preloaded HSTS and soon all other browsers will follow.

.dev gTLD has been bought by Google for internal use and can not be used anymore with http, only https is allowed. See this article for further explanations:

https://ma.ttias.be/chrome-force-dev-domains-https-via-preloaded-hsts/

Franz
  • 645
  • 1
  • 9
  • 21
4

MacOS Sierra, Apache: After Chrome 63 forces .dev top level domains to HTTPS via preloaded HSTS phpmyadmin on my mac stop works. I read this and just edit /etc/apache2/extra/http-vhosts.conf file:

<VirtualHost *:80>
  DocumentRoot "/Users/.../phpMyAdmin-x.y.z"
  ServerName phpmyadmin.localhost
</VirtualHost>

and restart apache (by sudo /usr/sbin/apachectl stop; sudo /usr/sbin/apachectl start ) - and now it works on http://phpmyadmin.localhost :) . For laravel applications solution is similar.

The nice thing is that using *.localhost top level domain when you set up new project you can forget about editing /etc/hosts.

How cool is that? :)

There's also an excellent proposal to add the .localhost domain as a new standard, which would be more appropriate here.

UPDATE 2018

Using *.localhost is not good - some applications will not support it like cURL (used by php-guzzle) - more details here. Better is to use *.local.

Community
  • 1
  • 1
Kamil Kiełczewski
  • 85,173
  • 29
  • 368
  • 345
4

May be worth noticing that there are other TLD that are forced to https: https://chromium.googlesource.com/chromium/src.git/+/63.0.3239.118/net/http/transport_security_state_static.json#262

google, dev, foo, page, app and chrome right now.

Stefano
  • 1,686
  • 1
  • 16
  • 25