It was discussed a year ago. https://news.ycombinator.com/item?id=44235467
Discussion Highlights (8 comments)
KomoD
Looks like they stopped doing it https://localmess.github.io > UPDATE: As of June 3rd 7:45 CEST, Meta/Facebook Pixel script is no longer sending any packets or requests to localhost. The code responsible for sending the _fbp cookie has been almost completely removed. Yandex has also stopped the practice we describe below.
mozvalentin
Chrome and Firefox have deployed / are deploying local-network-access which prompts the user when apps try this.
applfanboysbgon
> Meta must face a lawsuit alleging that it secretly tracked Android users' browsing activity on mobile websites that embedded Meta's analytics pixel, and linked that activity to users' identities, a federal judge ruled Monday. > The decision, issued by U.S. District Court Judge Rita Lin in San Francisco, grew out of a class-action complaint initially brought last June by California resident Devin Rose (and later joined by other Android users). > Rose alleged that between September 2024 and June 2025, Meta exploited Android's localhost -- a feature that allows software developers to test applications -- to connect users’ mobile web browsing to their Facebook and Instagram profiles. May 12, 2026
woodrowbarlow
i would love to have a software engineer's union, not so much to get better working conditions but to be able to say stuff like "i can't implement that unethical feature, it's against union rules and i'd lose my membership".
throwa356262
Off topic: I wonder how hard it is to poison this type of data gathering?
1vuio0pswjnm7
A timely question. Hopefully someone will share the recent Order and Third Amended Complaint Since that discussion in 2025 Rose v Meta was consolidated with some other privacy cases against Meta A first amended complaint was filed,^1 Google was added as a defendant Defendants motion to dismiss was denied A third amended complaint was filed on Monday Here are the PDFs 1. 1st amended complaint https://dn711508.ca.archive.org/0/items/gov.uscourts.cand.45... Meta motion to dismiss https://dn711508.ca.archive.org/0/items/gov.uscourts.cand.45... Google motion to dismiss https://dn711508.ca.archive.org/0/items/gov.uscourts.cand.45... Plaintiffs response https://dn711508.ca.archive.org/0/items/gov.uscourts.cand.45... Meta reply https://dn711508.ca.archive.org/0/items/gov.uscourts.cand.45... Google reply https://dn711508.ca.archive.org/0/items/gov.uscourts.cand.45... Order (Payment required) https://pacer.login.uscourts.gov/csologin/login.jsf?pscCourt... 2nd amended complaint (Payment required) https://pacer.login.uscourts.gov/csologin/login.jsf?pscCourt...
apitman
I've recently been exploring options for allowing web apps to access LAN services. For example, a WebDAV server so you can watch local videos in the app without streaming them through a server. You can actually achieve a form of discovery if your service registers itself using mDNS for something like `service.local`. Browsers will allow direct navigation/redirection to ` http://service.local `, but they'll block any fetch/XHR requests due to mixed content rules, even if you have CORS configured. And of course you can't get a cert for `.local` domains. Newer things like Chrome's LNA[0] are actually really helpful, because (for now at least) if the user grants the permission, fetch/XHR will go through, but you'll get a bunch of mixed content warnings in the console. It seems like the only way to fully support this use case currently is with WebRTC, which is pretty sad. [0]: https://developer.chrome.com/blog/local-network-access
0john
This actually inspired me recently to create Pal Pipe for Android- https://gitlab.com/not_john/palpipe
Related Discussions
Found 5 related stories in 93.8ms across 10,002 title embeddings via pgvector HNSW
Discussion Highlights (8 comments)
KomoD
Looks like they stopped doing it https://localmess.github.io > UPDATE: As of June 3rd 7:45 CEST, Meta/Facebook Pixel script is no longer sending any packets or requests to localhost. The code responsible for sending the _fbp cookie has been almost completely removed. Yandex has also stopped the practice we describe below.
mozvalentin
Chrome and Firefox have deployed / are deploying local-network-access which prompts the user when apps try this.
applfanboysbgon
> Meta must face a lawsuit alleging that it secretly tracked Android users' browsing activity on mobile websites that embedded Meta's analytics pixel, and linked that activity to users' identities, a federal judge ruled Monday. > The decision, issued by U.S. District Court Judge Rita Lin in San Francisco, grew out of a class-action complaint initially brought last June by California resident Devin Rose (and later joined by other Android users). > Rose alleged that between September 2024 and June 2025, Meta exploited Android's localhost -- a feature that allows software developers to test applications -- to connect users’ mobile web browsing to their Facebook and Instagram profiles. May 12, 2026
woodrowbarlow
i would love to have a software engineer's union, not so much to get better working conditions but to be able to say stuff like "i can't implement that unethical feature, it's against union rules and i'd lose my membership".
throwa356262
Off topic: I wonder how hard it is to poison this type of data gathering?
1vuio0pswjnm7
A timely question. Hopefully someone will share the recent Order and Third Amended Complaint Since that discussion in 2025 Rose v Meta was consolidated with some other privacy cases against Meta A first amended complaint was filed,^1 Google was added as a defendant Defendants motion to dismiss was denied A third amended complaint was filed on Monday Here are the PDFs 1. 1st amended complaint https://dn711508.ca.archive.org/0/items/gov.uscourts.cand.45... Meta motion to dismiss https://dn711508.ca.archive.org/0/items/gov.uscourts.cand.45... Google motion to dismiss https://dn711508.ca.archive.org/0/items/gov.uscourts.cand.45... Plaintiffs response https://dn711508.ca.archive.org/0/items/gov.uscourts.cand.45... Meta reply https://dn711508.ca.archive.org/0/items/gov.uscourts.cand.45... Google reply https://dn711508.ca.archive.org/0/items/gov.uscourts.cand.45... Order (Payment required) https://pacer.login.uscourts.gov/csologin/login.jsf?pscCourt... 2nd amended complaint (Payment required) https://pacer.login.uscourts.gov/csologin/login.jsf?pscCourt...
apitman
I've recently been exploring options for allowing web apps to access LAN services. For example, a WebDAV server so you can watch local videos in the app without streaming them through a server. You can actually achieve a form of discovery if your service registers itself using mDNS for something like `service.local`. Browsers will allow direct navigation/redirection to ` http://service.local `, but they'll block any fetch/XHR requests due to mixed content rules, even if you have CORS configured. And of course you can't get a cert for `.local` domains. Newer things like Chrome's LNA[0] are actually really helpful, because (for now at least) if the user grants the permission, fetch/XHR will go through, but you'll get a bunch of mixed content warnings in the console. It seems like the only way to fully support this use case currently is with WebRTC, which is pretty sad. [0]: https://developer.chrome.com/blog/local-network-access
0john
This actually inspired me recently to create Pal Pipe for Android- https://gitlab.com/not_john/palpipe