Ashar -- is that Edit Review's page visible to users other than yourself? Are you able to get the reflect XSS when logged in as a separate user, or not logged in?
No. It does not reflect for the other user. The exploitation for this case is hard given Self-XSS.
Hi. No progress on this bug. I think it is because of low profile XSS or ...
Sorry about that, it's been a busy week. :)
It was just a reminder and it seems it worked out :) Bug status has been changed :)
Stuart, whilst you are looking at CSP etc, could you take a quick look at this please? Its a self XSS so very low priority.
Fix is committed - should be rolled out shortly. https://github.com/mozilla/addons-server/commit/29e7607aefc08c3b2e4f07c4e055b0c5575253b8
Fix is on prod.
Good! Can you make it open? It is closed for public viewing.