That actually scares me enough to disable Swank on my laptop. Actually, to disable all localhost services that could by any stretch of the imagination execute code.
Tl;dr: web sites can send requests to localhost TCP sockets despite origin restrictions using a trick called DNS rebinding.
https://github.com/slime/slime/issues/286
If it has being left unaddressed because no one thinks it is enough of a problem. That is how free software works