Can requests to 127.0.0.1 be used to fingerprint the browser?

If a site makes connection attempts or element loads sourced for 127.0.0.1, can it build a list of open local TCP ports for fingerprinting purposes? Open ports may yield different error conditions than closed ports for certain request types and elements..

There may be other vectors to to this through DNS rebinding too, but I believe in those cases the hostname should always be provided to the SOCKS port, and such connections will happen to the exit, which should block them.