Can a website make an HTTP request to "localhost"? How does it get around the cross-domain policy?
Im surprised nobody has pointed out that the accepted answer (by meltdownmonk) is wrong.
"It will not break cross domain policy, because the request will not cross domains. It will stay local. One way to avoid cross domain policies, is to get the target victim to make the HTTP request themselves. Thus the request never crosses domains."
"It's not the website itself connecting to your Redis machine. It's you connecting to your Redis machine, executing client side code/scripts that you ran by clicking the link"
"The attacker doesn't have full control over the process. They rely on the owner of the Redis server to execute the code."
"...it's not the attacker that executes them, it's the owner, and so no Cross Domain Policies are violated."
This is not how the Same-Origin-Policy (SOP) and Cross Origin Resource Sharing (CORS) work. Of course the request will cross domains when a website tries to connect to localhost. Also it is the website itself trying to connect to your redis and not the user - the attacker does not have to rely on the user. There is no difference whether the code runs automatically in the background or if the user clicks a button.
A website is basically able to send requests to localhost on different ports and can thereby even run a port scan. The browser's CORS implementation will ensure that data cannot be read by javascript. Therefore, the attacker cannot steal data from localhost and send it to a server. This is only true of course as long as your services on localhost do not explicitly allow CORS requests to be made (when they sent allow-origin headers, the attacker can steal data).
Apart from this, requests are still possible and therefore CSRF attacks are also possible. Such a CSRF attack could be triggered with a simple javascript HTTP-request (which does not require a CORS preflight check), but also HTML form data sent via GET/POST and websockets can be used to establish a connection to local services.
So to sum it up, if you visit a website, this website will be able to send requests to your local services on your computer on different ports. Reading data from your local services is normally not possible.