What does the extension - chrome://flags/#allow-insecure-localhost mean?

The extension chrome://flags/#allow-insecure-localhost can be explained as - A similar situation is issuing a certificate (for example, from an internal corporate CA) with

dNSName = localhost

iPAddress = 127.0.0.1

I doubt any publicly-trusted CAs will issue a cert for localhost, so a setting like this is probably needed to make cert errors go away? (assuming you don't want to add the cert to your trust store, which is a way bigger risk). I haven't yet run across a situation where this is dangerous; i.e. any attacks I can think of require the attacker to already be running code on the victim's computer.

One caveat I guess is if you install a lot of apps (fat clients) on your machine that host a local web server so that browsers can interact with them. For example imagine a fat client for mikesgames.com that lets a browser game directly access your USB devices. Fine if you trust the app and know it's there, but it's hard to secure that local service properly, so you may be opening up for any random website to check for this fat client and then take control of your USB devices. I'm especially skeeved out by the idea of random websites probing localhost to see what ports you have listening and from there figuring out what fat clients you have installed.

I would prefer to see browsers by default block any connection to localhost with a popup "Do you want to allow mikesgames.com to communicate with apps on your machine?". If you click Yes, I don't think there's that much security difference between http, https with invalid cert, and https with valid cert for those localhost connections. You would hope that app vendors have a way for the website and the fat client to mutually-authenticate each other to prevent abuse of the fat client by other sites, but that's really outside the scope of browser settings.