When you do web development, the web server often needs to set some secure cookies in the browser. They are often used for user authorization. Those work on localhost, but not with http://, as browsers treat plain HTTP as insecure. For example, by default, you can't log in to Coder when it's hosted without https.

Chromium-based browsers let you manually mark some origins as trusted, and they are then treated as secure. You can do it be setting the following flag: chrome://flags/#unsafely-treat-insecure-origin-as-secure

I did it with my workspace to be able to develop Coder on Coder without https and use the development web UI via the .coder domain.

It'd be great to document that this is possible when we publish the Coder VPN docs.

Also, It'd be good to mention that this is actually secure with Coder VPN because the connection is still encrypted at a lower part of the networking stack with wireguard.