Many sites do it .Included in many standard device fingerprinting / anti anonymity SAAS. Ebay facebook etc all do this ! But it looks this is first party to prevent the adblocking of them
1MB of obfuscated fingerprinting + portscan + Webgl . But oddity this one is trying to find burp suite specific route's.
The company I work for has a legitimate service that runs on the loopback (it provides our web apps APIs for some device integration) hopefully its just as simple as the user accepting the prompt else we'll be drowning in support.
We had to go the path of the local service because they killed NPAPI. I've been thinking about using web serial as an alternative but Firefox doesn't support it.
That being said, I think this is an overall win, hopefully Firefox implements it in a consistent manner as well.
This how many of them work for transporting vs traditional old way of registering url scheme and requiring user interacts --- Discord, Blizzard net, Riot Client ... all localhost listener's that can interact
It would be the job of the operating system to give or take away the ability of your browser to access your local network. But you can run your browser in a container/vm and disable localhost. (And use a separate browser for localhost only if you need it.)
1MB of obfuscated fingerprinting + portscan + Webgl . But oddity this one is trying to find burp suite specific route's.