Thinking about adding a localhost-only HTTP API or line-based protocol to your project? Probably not a good idea, because you can use DNS rebinding to get at/mutate that data, or whatever execution stuff is possible, through the developer's own browser.
James Dearing 🐲 likes this.
Looks like they run a local resolver, and they do block some of the private IPs. Its unclear if it blocks 127.0.0.0/8 though.