You trust Firefox (Mozilla), Mozilla trusts Digicert. If you don't trust Mozilla to make good security decisions, switch browsers. If you want to second-guess this particular decision, you can adjust your Firefox configuration.

As a developer what I find frustrating is that it is so difficult to make my browser trust 127.0.0.1.

Shouldn't there be an easy way to configure it to trust that?

What does it mean to trust an IP address? If you found that a link took you to gmail.com on 127.0.0.1:8716, would you be fine with providing your gmail credentials to that site?

I would think I can trust anything on 127.0.0.1 because that can only be my local machine, right?

If there is something running on 127.0.0.1:8716 which I have not given permission to run then my machine is compromised already. No?

https://1.1.1.1/ is a thing. certificate used: https://crt.sh/?id=1044327786

If the site provides a trusted certificate for gmail.com, things are fine. IP shouldn't matter, port probably will.

AFAIK http://localhost is treated the same as https://localhost so you shouldn't need a self signed certificate.

https://localhost doesn't work without a self-signed certificate...

Sure, but you can use http://localhost, and it will be treated as a secure origin

Some Oauth providers require https (even for localhost), and if I'm using WebAuthn, I have to have a certificate.

But what would WebAuthn for localhost even mean ?

The credentials in WebAuthn are bound to an FQDN (typically the name of the web server but e.g. news.ycombinator.com would be entitled to ask for WebAuthn credentials for ycombinator.com) so it's not as though this is irrelevant.

I can imagine a few dozen extra lines defining a special allowance for localhost in the WebAuthn spec., but then you're also building a bunch of special backend code to handle that too and for what?

I built a toy WebAuthn implementation to understand it better, but I did it on my vanity site, and I don't feel like it would really have been easier without.