The mistake is web applications that rely on session cookies alone to authenticate requests. Of course it's not their fault that it's so difficult to secure web apps, but by now this is common knowledge (CSRF/Confused Deputy Attacks). Not allowing browsers to make requests to internal IPs would break many things. We should be moving towards an internet architecture where there is no such distinction anyway.
