At least the 2FA Code probably is a Chrome feature, safari displays 2FA SMS text codes as a autocomplete suggestion and I could imagine that Chrome on Android just autofills it. For the hostname, it’s more difficult. Are you sure you never gave that info to the bank as a username or similar? What Bank is this?

Institution for Savings. They use an app/webapp built by a third party that covers loads of small banks.

And where exactly does it show your hostname there? And are you sure you never used it as an account name or something like that? I can’t imagine they can access the hostname from JS.

Yea, first time I hit their site from this machine. And the alert showed on my mobile phone - "allow aluminium?"

One of these days I'm gonna log in with the debugger active.

One possible answer: if the phone app is a native app, it could be listening on a HTTP port and sending the phone's network information to the webserver, which then tells the webapp to ping the phone app, and then the phone uses reverse-mDNS to get the hostname.

I'm not sure why they would go to the trouble of getting the web app to talk to the phone app directly, but it is possible.

I'm logging in on a laptop and getting notifications on my mobile that contains my laptop hostname.

I don't have any banking app installed on either device.

It's confounding.

Weird. What kind of notification? SMS, email, Web Push notification?

There really isn't a way to get a hostname from javascript in a non-modified browser.