I'm on the same boat as Darryl I think here.

SSL certs are mostly not required for most things as `localhost` is considered a secure context for browser features.

Where you do need SSL certs is if you are interacting with a third-party oauth flow or something that effectively requires an actual https:// origin or if there is need to test over the private network, such as testing with a physical mobile device.

So to cover some edge cases I think SSL opt in is required and without it the developer would basically need to set up a reverse proxy to handle the SSL and terminate it before proxy passing the connection to the cordova dev server.

That and I don't think is much effort to expose and map some arguments to expressjs.

On 2026-07-14 7:56 a.m., Niklas Merz wrote:
Moving everything to Cordova browser and deprecating the serve package
sounds like a great plan to.

I'd also consider not adding the TLS/HTTPS stuff in the new
implementation to make it even less likely that it will get used as a
server in production.

I'm not 100% sure if everything that requires a secure context in the
browser is available on localhost though.

On July 14, 2026, Manuel Beck <[email protected]> wrote:
I think it's a good idea to move it in cordova-browser. The SSL thing
is interesting when Cordova is used to run it as a web app.

Regards,

Manuel

Am 14.07.2026 um 07:32 schrieb Darryl Pogue <[email protected]>:
On Mon, Jul 13, 2026 at 9:19 PM Bryan Ellis <[email protected]>
wrote:
The current PoC includes the following:
[...]
* Adds SSL/HTTPS support but does not generate SSL certificates or
keys.
This feature is useful if the app loads HTTPS resources or makes
HTTPS
requests and therefore needs to be served over HTTPS to avoid CORS-
related
issues. Again, not intended for production use.
I'm not sure if SSL is actually needed because typically browsers
treat localhost as a special-case secure origin.
That said, if it's minimal/no effort to support it and we don't have
to bring in a bunch of 3rd party dependencies, then there's probably
no reason to remove the functionality.
~Darryl
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to