It would be shortsighted to simply call this a Chrome bug.
You can use this attack to make the browser communicate with somebody else’s computer. If that computer happens to give the user privileges because of his IP address, for instance because he is in the same home or because he is on localhost, the attacker can then use these privileges.
One could imagine Chrome blocking this attack with respect to localhost but blocking connections to machines on the home network is farfetched.
And note that it’s not just web services, the browser can start general tcp connections.