Same-origin policy prevents that specific attack, although the same idea exists if you’re not protected from DNS rebinding on localhost, and `--bind 127.0.0.1` (or some other way to block the port) is necessary – but the Pythons’ built-in HTTP servers aren’t vulnerable to path traversal anyway.