Do-it-yourself XSS
We receive a steady stream of reports from users who manually alter the HTML
documents returned by our services (for example, with Firebug, Zed Attack Proxy,
Burp Proxy, or Chrome Developer Tools) and inject alert(1)
or equivalent
JavaScript statements:
Note that the ability to inject code is not a bug; browsers allow users to alter HTML or execute JavaScript locally in the context of any application.
Conclusion
If you report an XSS injection issue of the type described above, we won't file a bug based on your report, as we do not consider this to be a security bug.
Why? If an attacker can convince the victim to manually paste JavaScript code into Chrome Developer Tools, there is nothing that a web application could do to prevent the attack. As usual, when in doubt about the security relevance of an issue, try to think about a realistic attack scenario: list the steps that an evildoer would need to complete in order to gain access to the data of another user.
Self-XSS – ft. InsiderPhD