Yes. Facebook was using this trick on Android. Meta's android apps would host a server on localhost, and their sites would communicate with this local server to pass tracking information that would otherwise be blocked by all browser protection methods on Android. I guess it is still fingerprinting, but at the most extreme end.
Mostly it's great for tracking although I'm sure it could also be used to exfiltrate data (e.g. if the user is running something sensitive on localhost).
CORS doesn’t prevent requests (i.e. GET requests from IMG tags, or XHR preflight requests), it only prevents web apps from processing the response if the responding server doesn’t agree. And a simple GET or even OPTIONS request can be enough to exploit vulnerabilities in routers and other local devices.
It seems to be part of some "bot defense" product by these F5 people, to "test the different browser capabilities". I doubt it's intended to hit a real endpoint on any system.
