I think he's saying that someone can make you open a web page that includes an image with the proper src attribute and bang, your Rails site is broken.
I know you've been a dev/ops guy for 20 years and I respect the fact that your development machines are sealed in vaults, but I've gotten to assess more than half of the top 10 biggest Rails apps in the world over the past couple of years and trust me, you're just wrong about this. Development machines are within reach of developer browsers. Database machines are within reach of development machines.
You've probably figured this out by now, but I'm pretty sure you're missing the point. From your other comments in this thread you appear to think that the machine needs to be internet-accessible. Have a public IP. Open Firewall. All that.
The reason this is so dangerous is that it needs none of that. All it needs is for your development machine to have access to the internet.
I open up a project, enable this, and run rackup locally.
I then view your Twitter stream, where you've embedded a crafted link behind a URL shortener.
Because that link is executed by me, you've now remotely executed code on my machine. Assuming I'm anything like most Rails shops you can probably get to a number of other machines through my machine.
