We currently use URLs like http://localhost-studio.code.org because we have internal logic that's keyed to what domain name you use. Alternatively we could use a URL like http://studio.code.org.localhost, which would give us a secure context and enable a number of modern web features, from SharedArrayBuffer to Service Workers and Web RTC.

The alternative way to get a secure context is to run as HTTPS in dev, but getting that working locally has been hard, and using an adhoc to do dev is pretty hard too. In actual practice, I think the burden of using https in local dev has meant we just don't use those features. For example, we are not using the most straightforward way to stop a python program because it uses SharedArrayBuffer: #60320

Here's a list of some modern web features we're missing out on that require a secure context:

1. WebRTC
2. MediaDevices.getUserMedia() (access camera and mic)
3. Service Workers
4. WebAssembly.compileStreaming()
5. Geolocation API
6. Notification API
7. Payment Request API
8. Credential Management API
9. Web Bluetooth API
10. WebUSB API
11. Clipboard API (write access)
12. Storage Access API
13. Push API
14. Permissions API
15. SharedArrayBuffer
16. Subresource Integrity (SRI)
17. Performance.now() with high resolution