Hi team, I noticed a stored XSS being possible using an SVG file loading as an attachment to a report at https://bugzilla.mozilla.org POC 1 access this report https://bugzilla.mozilla.org/show_bug.cgi?id=1112613 > find 'attachment 8857673 [details]' > click on name > click on image> xss triggered
Tester: Thanks for your report, but this behavior is by design and desirable. You'll note that the attachment domain used for attachments is variable to prevent abuse of the bugzilla.mozilla.org domain (Example: https://bug1356019.bmoattachments.org/...).
Right. But despite the no-change, XSS is possible for any member who has access to, for example, this report. It only takes a low interaction to execute. Is this actually considered by design?
Tester: Yes, for BMO, the expectation is that a user can upload HTML content (including script tags) and upon visiting that content that it would be interpreted by the browser, but the execution origin/domain will be something like bug1356019.bmoattachments.org rather than bugzilla.mozilla.org. This is a pretty heavily discussed topic with multiple reports, most of which are dup'd against bug 38862. Let me know if you have additional perspective here that hasn't already been covered in the linked bug or it's dup'd dependents.