What if my home computer has a public IP address (which it does, since I use IPv6 only)? It's not always so simple.

There's also the option of my phone connecting to my home pc while it uses 4G (while the PC uses the land connection).

then just white-list those addresses?

that doesn't help. The phones don't connect to localhost they connect to a PC

user overrides are also an option: http://www.w3.org/TR/powerful-features/#development-environm...

That's not really a solution either. You really expect your house guests or people visiting a museum or event to do a technical reconfiguring of their phone just to interact with the installation or game?

I would think that museum should be able to get a SSL cert.

But yeah, "SSL-only" kinda breaks the end-to-end principle since we have no mechanism to assign SSL certs to endpoints on demand. So it seems flawed on a conceptual level.

Most of these types of exhibits are created by art students and shown at events and happen to be run by museums. Neither the students nor anyone at the museum have any tech experience whatsoever. As the system is now it works for them. But when HTTPS is required they'll all be S.O.L.