By default, access to [::1] and localhost are disallowed in Microsoft Edge. One way to workaround this is to enable it in the about:flags page:
On that label it also says (this might put your device at risk).
What risks am I exposing myself to by allowing localhost loopback?
I'm thinking that XSS wouldn't be a risk due to Same Origin Policy (unless I'm XSS-ing a site running on my own local web server, but in that case the attacker already has local control of my device).
One risk that can occur here is Cross-Site Request Forgery (CSRF). Say you have an application running on your localhost which presents a web server for administration purposes. If you allow localhost in a browser, when visiting a site controlled by the attacker, the attacker could request a URL such as
which if valid for the site listening on that host could cause an inadvertent action to be taken.
Now this of course requires a vulnerable service to be listening on that port, so not everyone would be at risk here. However what Microsoft have likely done is look at the trade-offs of allowing or disallowing this access and decided that for the majority use case there's more risk than benefit, so they've set this default, whilst providing a work-around if needed.
