[Avamander]

Vast majority of users don't want CSRF-able software either. Let's first discourage such garbage software before making workarounds. In addition to that, those workarounds most likely will not eliminate all the possible issues and buggy software still gets exploited.

[ianhowson]

Not every TCP server speaks CSRF.

This isn't about 'garbage software'; it's about the expectation that a local LAN is not exposed to the Internet and therefore does not need the same security controls that an Internet-facing network does.

Browsers making requests on the LAN breaks this expectation.

Before someone says "but I don't expect that", well, why do you even have a firewall? With the notable exception of Google/BeyondCorp, practically every LAN in the world expects to trust its members. Having untrusted code in browsers able to send requests on the LAN violates that expectation.

[Avamander]

a) You can't establish a plain TCP connection with arbitrary content using a browser.

b) Excepting LAN to be always secure, or okay to keep unsecured is a terrible assumption that has been proven wrong numerous times, it is time to trash that assumption once and for all.

[smashingfiasco]

Implementing CSRF doesn’t stop an outside party from finding out that you have (for example) an AppleTV inside your network. The device will still return a HTTP status code. You could legit spy on end users this way. A real boon for ad tech, too.

[Avamander]

Such specific detections could be countered by Apple, it serves no good adtech purpose if they can determine some small amount of devices existing on a LAN.

In general though, this isn't be a problem on proper IPv6 LANs and instead of buggy and cumbersome workarounds being built into browsers we should just switch.