I’m assuming you have
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: https://localhost
The risk is that any services running on a user’s machine could effectively bypass the Same Origin Policy for your site.
So if you have a REST URL such as
https://example.com/User/GetUserDetails
A malicious or compromised service running on the user’s computer could make that request via the user’s browser and then grab details about the user, because their authentication cookie will be passed with the request.
Now, you could argue that a malicious service running on the user’s computer could just grab the authentication cookie from their browser directly and then make the request itself. However, if the service has some flaws of its own (say XSS), this could allow another site to compromise the user via your REST service (evil.example.org --XSS-> localhost -CORS-> example.com/User/GetUserDetails).
Another scenario that could put you at risk if the user is running a local reverse proxy to access something. This would enable the target site to compromise the user through yours, should that target site be malicious or be compromised. This is because the user would be accessing the target site with a domain of localhost.
If you really need to do this I suggest you have a special developer account for your REST service that when accessed adds the Access-Control-Allow-Origin: https://localhost header to your requests only. That way, you are not putting other users at risk because you know you are only running the front-end server only at https://localhost so you cannot be compromised by your open CORS setting.
Another way may be to use something like noonewouldusethis2859282.localhost for your local copy of the front-end. Then you can safely add the Access-Control-Allow-Origin: https://noonewouldusethis2859282.localhost header because nobody else would use this and would be safe from CORS attacks.