That actually scares me enough to disable Swank on my laptop. Actually, to disable all localhost services that could by any stretch of the imagination execute code.
Tl;dr: web sites can send requests to localhost TCP sockets despite origin restrictions using a trick called DNS rebinding.