[PuercoPop]

They are talking about this issue

https://github.com/slime/slime/issues/286

If it has being left unaddressed because no one thinks it is enough of a problem. That is how free software works

[mbrock]

That actually scares me enough to disable Swank on my laptop. Actually, to disable all localhost services that could by any stretch of the imagination execute code.

Tl;dr: web sites can send requests to localhost TCP sockets despite origin restrictions using a trick called DNS rebinding.

[PuercoPop]

Yes, it certainly a gaping security hope. Yet I cant bring myself to submit a patch