If Postgres trusts localhost connections, is it dangerous to visit random websites?

You basically rely on the strictness of the PostgreSQL protocol parser. In the past there were several attacks where too much tolerance against malformed input made attacks from the browser possible, even though the browser did not correctly speak the application protocol. See for example HTML Form Protocol Attack or more recently NAT SLIPStreaming. This made the browser block several ports for outgoing connections, but notably the default PostgreSQL port 5432 does not seem to be one of these.

While it might work in this specific case it is a bad idea on general to rely on the unknown robustness of a implementation. This is especially true if there are other options: PostgreSQL can use UNIX domain sockets. With UNIX domain sockets these are not only safe against access from the browser but also the access from other users on the system can be much easier restricted, since UNIX domain sockets will use file system permissions (i.e. user, group, ...) for access control.


Javascript inside a webpage can't connect to arbitrary TCP/IP port, Javascript inside browser uses limited set of protocols (HTTP, WebSocket, WebRTC). The restriction is on the browser level not the language itself; this remains true only for publicly available browsers that doesn't have extension that acts as a TCP proxy.
In another hand, if the local Postgres (or any database server) can accept sql requests over HTTP than there is a risk for malicious website to exploit this feature, which presents a vulnerability if it is not monitored.