We received a report today of a broken canister frontend on Safari. After a bit of digging, we found that on Safari, http://localhost addresses are automatically being redirected to secure urls, e.g. https://localhost. This is because the default security headers that are included with the asset canister include the upgrade-insecure-requests header.
Safari honors this header even for local hosts, such as localhost and 127.0.0.1, when other browsers choose to ignore it. What this header does is instruct the browser to automatically redirect http requests to https requests. It’s good to have from a security perspective, but it’s not often needed while developing locally.
If this is causing some pain for you, you can fix this temporarily by deleting upgrade-insecure-requests; from line 27 of .ic-assets.json5 and redeploying your asset canister.
We will provide a fix soon which will ensure dfx provides default security headers in an environment-aware fashion.
If you have any questions or comments, please respond in the chat below!