To answer the "how do I work around this during development": non-HTTPS is permitted on localhost (this is at least the case in Chrome). The spec also hints at this (https://w3c.github.io/push-api/#security-and-privacy-conside...). But, as has already been mentioned, this is about desktop notifications and not web push.