The `dev` TLD was recently added to the HSTS preload list. See https://security.googleblog.com/2017/09/broadening-hsts-to-secure-more-of-web.html for some detail. I agree that this is a little annoying for folks who are currently relying on the `dev` TLD for internal purposes. I'd suggest moving either to an explicitly reserved TLD (like `.test`), or purchasing a domain for internal development purposes to be sure that no one can changes its properties out from under you.

Great, yet another impossible to change setting in Chrome. I can't say I'm a fan of the direction you are going with this, making decisions that even power users have no choice over. 

It doesn't help you, but it's worth noting that this isn't "Chrome" making the decision. ICANN sold `.dev` to Google; as the owner of the TLD, Google made a decision about how the TLD will be managed. I fully anticipate that decision flowing through to other browsers as well. The most effective thing for you to do going forward is to ensure that you're using domains that you control, not domains that are under the control of others. The gTLD mess makes this more difficult, but the suggestions I made above seem like reasonable approaches.

Are you saying that it is impossible to add a switch or flag to turn this security feature off, preferably on a per site basis? 

To be clear, I do support enforcing https where possible, however for power users it should always be possible to bypass this when needed. 

> Are you saying that it is impossible to add a switch or flag to turn this security feature off, preferably on a per site basis? 

I am saying that, yes. It's honestly never come up before. `.dev` is the first time I can think of where a TLD that folks were inadvertently squatting on was sold out from under them.

> To be clear, I do support enforcing https where possible, however for power
> users it should always be possible to bypass this when needed. 

I'd encourage you to file a feature request against the `chrome://net-internals` interface, but this unfortunately would not be trivial to implement, and I doubt the network team would put much priority on it. The best short-term course of action I can recommend is to use a domain that you own for your local development.

OK, thanks for the response. 

 Issue 794468  has been merged into this issue.

 Issue 794944  has been merged into this issue.

So now I have to spend money on a domain to do development on my laptop, because Google purchased "dev"? /etc/hosts has been tool for a long time, and it's odd to describe it as "squatting". a lot of people have been using dev for a lot of things for a long time. also to say "Chrome" didn't make the decision, "Google" did, is a bit of a stretch since the line between the two is pretty blurred. 

ICANN made the decision, not Google, not Chrome.

Can you cite where that decision was made? Based on my understanding it would be the owner (Google) not ICANN that would request to have a domain be included in the HSTS list. 

"A lot of people have been using dev for a lot of things for a long time" - ICANN's policies and choice of open registration made it clear that they have been doing a wrong thing for a very long time, and after a period of consultation with respect to introducing new gTLDs, went forward with it. At that point, whether you use .dev, .local, or any other squatted, non-globally qualified domain, you were at risk of breakage by the legitimate owner of that domain.

Any angst directed at Charleston Road Registry is misdirected, considering that there were multiple other applicants for Dev and Dev itself went through ICANN review in light of consideration of those use cases, and ICANN still went forward. This was covered in SSAC057 report to ICANN (see also https://www.icann.org/resources/board-material/resolutions-new-gtld-2013-10-07-en )

Your reply implies that the new owner of the domain should not be able to use the domain, because others were there 'first'. To that, I point out the above ICANN policies that evaluated such considerations and rejected them, prior to ever assigning such a domain to begin with.

That ICANN report is about the resolution to sell the domain. That's fine and has nothing to do with the issue here. 

The new owner of the domain (Google, DBA "Charleston Road Registry") modified the browser they also own (Google Chrome) to do something specific with the domain that is breaking stuff for developers. You own the domain, you own the browser, so you can do whatever you want. Hopefully going forward people won't "break the rules" by modifying their own hostfile to "squat" on the "legitimate owners".