I believe this is caused by HSTS - see http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
If you have (developed) any other localhost sites which send a HSTS header...
eg. Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
...then depending on the value of max-age, future requests to localhost will be required to be served over HTTPS.
To get around this, I did the following.
This is not a permanent solution, but will at least get it working between projects. If anyone knows how to permanently exclude localhost from the HSTS list please let me know :)
UPDATE - November 2017
Chrome has recently moved this setting to sit under Delete domain security policies
UPDATE - December 2017 If you are using .dev domain see other answers below as Chrome (and others) force HTTPS via preloaded HSTS.
~ Answered on 2015-02-18 14:56:06