And where exactly does it show your hostname there? And are you sure you never used it as an account name or something like that? I can’t imagine they can access the hostname from JS.

Yea, first time I hit their site from this machine. And the alert showed on my mobile phone - "allow aluminium?"

One of these days I'm gonna log in with the debugger active.

One possible answer: if the phone app is a native app, it could be listening on a HTTP port and sending the phone's network information to the webserver, which then tells the webapp to ping the phone app, and then the phone uses reverse-mDNS to get the hostname.

I'm not sure why they would go to the trouble of getting the web app to talk to the phone app directly, but it is possible.

I'm logging in on a laptop and getting notifications on my mobile that contains my laptop hostname.

I don't have any banking app installed on either device.

It's confounding.

Weird. What kind of notification? SMS, email, Web Push notification?

There really isn't a way to get a hostname from javascript in a non-modified browser.