Too Long; Didn't Read
Websockets allow browsers to open websockets connections to localhost without many protections. This got me thinking that popular JavaScript frameworks use websockets in development to automatically reload pages when content changes. Could a malicious website eaves-drop on that traffic, and find out when developers are saving their code? A simple web server that uses hot-reloading can be used to eavesdrop on web-socket messages being sent by a local dev server to my local browser. We use this to extract useful data from developers working on top secret projects.