>"I regularly encounter users who don't accept that websites can access services on localhost or their intranet,"
That seems to be a very reasonable thing to not accept...
The other related issue is that communicating with localhost over https is very hard for an app. I wonder if there is a potential way to kill two birds with one stone here with some browser changes.
does this mean a malicious site can query data from a running service, such as local MySQL? If so, isn't that a big deal? I know lots of places that run things open locally because they're behind a firewall.
https://bouk.co/blog/hacking-developers/
So, if you have, say, telnet bound to localhost without a password, you are not safe (modern browser would drop the response as it's not valid HTTP, but with telnet you don't exactly care anyway).
You can use this attack to make the browser communicate with somebody else’s computer. If that computer happens to give the user privileges because of his IP address, for instance because he is in the same home or because he is on localhost, the attacker can then use these privileges.
One could imagine Chrome blocking this attack with respect to localhost but blocking connections to machines on the home network is farfetched.
And note that it’s not just web services, the browser can start general tcp connections.