Short answer: None.
Long answer: someone can access your application like this:
If you visit a malicious website (if someone from Starbucks is poisoning the DNS cache or pushing DNS answers, you can visit the malicious website at www.google.com without knowing it), then the attacker could send you to his domain with a DNS server (which can actually be on his laptop), responding to the same request with a very short TTL once with its IP address, then with 127.0.0.1, then its IP address, etc. That way, when you set off (http://www.example.com: 8080), it is resolved as an IP address of the attacker, and you get a website that launches an AJAX request to the same domain and the same port (therefore in each browser has the same origin policy), but thanks for the short TTL, you no longer have a domain entry in your cache, so you ask again, and this time you will get the answer 127.0.0.1, which, by the way, is your own interface a loopback that you consider to be invisible from the outside - and it is actually invisible from the outside, but it is perfectly visible from your of the browser. Your browser will happily connect to your application at 127.0.0.1:8080 and proxy the request to the attacker using another AJAX connection or any other side channel. VoilΓ , your application is now connected to the world!
Such things happen in the wild, so be careful. Sometimes people even gain access to the admin interfaces in routers behind NAT and firewalls. Honestly, I'm very scared of all the answers telling you that it is impossible to access anything running on localhost. Be careful what you do.