In chrome there is a flag called: allow-insecure-localhost. As far as I can tell all it does is block localhost connection over tls if the certificate is self signed.
Why is this feature turned off by default? Does it affect regular users in any way (regular user = someone who is not developing something). Are there any serious cases of localhost connection being used malicious that could have been prevented by having this option enabled?