In Chrome 60, they added a feature that disables crypto.subtle for non-TLS connections. Our product needs to run a local server and forward some secure remote connections to localhost for security reasons. Because localhost isn't technically a named domain, we cannot use TLS--effectively making crypto.subtle unusable in Chrome (and chromium-based browsers like Opera), and forcing us to use a less secure shim like asmCrypto.js. Is there any way to tell Chrome to enable crypto.subtle through headers? Is there any way to disable the new feature in the settings that we can tell users about (worst case scenario)?

In Chrome 60, they added a feature that disables crypto.subtle for non-TLS connections

Not exactly, crypto.subtle is disabled for non-secure origins since first supported version (chrome 32?)

But localhost is considered a secure origin https://www.chromium.org/Home/chromium-security/prefer-secure-origins-for-powerful-new-features

“Secure origins” are origins that match at least one of the following (scheme, host, port) patterns:

• (https, *, *)

• (wss, *, *)

• (*, localhost, *)

• (*, 127/8, *)

• (*, ::1/128, *)

• (file, *, —)

• (chrome-extension, *, —)

So you should be able to use Web Cryptographi Api on http://localhost.

Are you using HTTPS for your site? It could be that you had a problem related to mixing HTTPS and HTTP. Chrome will block the HTTP connection to localhost. Then you could generate a self-signed certificate for 127.0.0.1 and launch your local server with HTTPS (similar to @SLaks answer but you will not need a hosts entry )

You should make a CNAME or hosts entry that points a valid domain at 127.0.0.1, then get a (perhaps self-signed) certificate for that domain.