Some browsers allow any web page to access localhost subresources

[arthuredelstein]

What the hell?

[uazo]

some chromium related documents that might interest you

Intent to Experiment: Private Network Access preflight requests for subresources Intent to Deprecate and Remove: Private Network Access requests for subresources without proper preflight response

that's something I was checking out too.

[uazo]

some detail here

Render-initiated navigations to filesystem:// URLs are blocked in top-level frames, but are currently allowed in
iframes. As part of the storage partitioning efforts, we propose to remove support for navigation to 
filesystem:// URLs in iframes. Preventing navigation in third-party contexts would be sufficient for 
our privacy goals, but as usage is almost non-existent, we believe removing support for navigation in 
iframes altogether is the better approach.

source: https://groups.google.com/a/chromium.org/g/blink-dev/c/2V7lIYDkdtI

[ShivanKaul]

With Chromium, the local server has to opt-in to these preflight requests, which doesn't really work if the local server is also malicious.