Firefox localhost CORS bug (HTTPS-Only mode)

Summary: When the HTTPS-Only mode is enabled in Firefox and a script running on localhost:<A> makes a cross-origin request to a server running on localhost:<B>, Firefox does not send a preflight request, and CORS is allowed even though these are technically two different origins.

Why it's a problem: Technically this isn't a big deal since it's only reproducible on localhost (as far as I could tell). However, Chrome correctly treats these as two separate origins and blocks the client from reading the cross-origin request. Firefox's inconsistency is mildly inconvenient in local dev mode.

Ticket: localhost cross-port requests bypass CORS checks (treated as same-origin) with HTTPS-only mode enabled

Reproducing

Requirements:

• npm
• Node.js

Steps:

1. Clone this repo.
2. Run npm run client to start the client (localhost:3000).
3. Run npm run server to start the server (localhost:8000).
4. In Firefox, navigate to about:preferences#searchResults, search for https, and enable HTTPS-Only mode.
5. Open the client at localhost:3000 in Firefox.
6. Open your dev tools console. Observe that the response can be read even though it was a cross-origin request.
7. Disable HTTPS-only mode and repeat steps 5-6. Observe that the request is correctly blocked.