In chrome there is a flag called: allow-insecure-localhost. As far as I can tell all it does is block localhost connection over tls if the certificate is self signed.
Why is this feature turned off by default? Does it affect regular users in any way (regular user = someone who is not developing something). Are there any serious cases of localhost connection being used malicious that could have been prevented by having this option enabled?
Because insecure by default is bad practice.
As with many things, you have to weigh convenience against security. Your proposal would make many people a little bit less secure, by making the life of very few developers a little bit more convenient. This is really not a great deal to make.
In general, software should aim to be configured by default to be as secure as possible. Any configuration changes that could make the system less secure should be concious choices made by the user or administrator.
