file://, http://localhost, and http://127.0.0.1 (as well as some other defined-to-be-localhost IPs) are all considered "secure contexts".

There's still a problem here, of course: things can work locally but fail when deployed to an http:// site.