"Secure origin" other than HTTPS?

Short answer: Yes, localhost is a secure origin. Chrome also has a command line flag to treat specified HTTP endpoints as secure: --unsafely-treat-insecure-origin-as-secure=http://a.test,http://b.test. So it's not just "HTTPS".

Longer answer: Other schemes such as blob:, wss:, and chrome-extension: can also be considered as secure contexts. about:blank is a common example that can vary, since the browser has to remember how it got there. And an iframe pointing at an HTTPS page, but embedded in an HTTP page, would not be secure.

To determine what the browser thinks of all this, examine the value of window.isSecureContext. The spec is here: https://w3c.github.io/webappsec-secure-contexts/

This chromium page https://sites.google.com/a/chromium.org/dev/Home/chromium-security/deprecating-powerful-features-on-insecure-origins gives some context and links to the spec above.

For instance, data: URLs are insecure but blob: URLs are secure.

const src = "<script>document.write(isSecureContext)</scr"+"ipt>";

a.src = `data:text/html,${src}`;

b.src = URL.createObjectURL(
  new Blob([src], {type:'text/html'}));

<p>data url is insecure
<iframe id=a width=100 height=25></iframe>

<p>blob url is secure
<iframe id=b width=100 height=25></iframe>