I am working on a Web Application project with a company that has bit extra strict policies when it comes to security and stuff. In our project, we have a UI app that talks to Node MW, to run it locally we need to start the UI, Node, and a node-based mock server.
We have Dev envs that the QE team uses to test the application, I proposed instead of running the node and mock server locally for dev purposes we can directly the node dev environment from the local UI application but that would take allowing localhost origin on the node hosting cluster. The allowing of localhost origin is only Dev environment and for making devs life easier, it is an improvement from our side which we proposed.
When this was run by the Chief security officer, he suggested that there must be some specifications or guideline somewhere which states that this is ok and it wouldn’t be a problem in the future if the browser upgrades its policy related to localhost origin.
He referred to this article which might be connected to https://developer.chrome.com/blog/private-network-access-update/
Can anyone point me in the right direction where can I find this policy/rule/document that states that it is alright to allow localhost in the access-control-allow-origin header? I know * is not recommended but localhost should be ok if it is on private dev environments.