It seems like it may be possible to steal a user's cookies if you can get them to create a release using a specially-crafted https://musicbrainz.org/release/add POST request. This requires them to click through the interstitial warning screen that MB displays for POST requests, but I assume that most users do that when seeding edits without carefully reading each parameter.

The issue appears to exist due to this code in root/static/scripts/release-editor/edits.js (which I think that Jira may butcher, unfortunately):

function chainEditSubmissions(release, submissions) {
  // ...
  function nextSubmission(index) {
    var current = submissions[index++];

    if (!current) {
      // We're done!

      // Don't ask for confirmation before redirecting.
      root.redirecting = true;

      if (releaseEditor.redirectURI) {
        var a = document.createElement('a');
        a.href = releaseEditor.redirectURI;

        a.search += /^?/.test(a.search) ? '&' : '?';
        a.search += 'release_mbid=' + release.gid();

        }}{{window.location.href = a.href;
      } else {
        window.location.pathname = '/release/' + release.gid();
{{      }}}
      return;
{{    }}}

JavaScript code can be injected on either side of the "release_mbid=..." string by setting the "redirect_uri" parameter to a value starting with "javascript:". The right-hand side of the code can be passed via the hash portion of the URL.

For example, setting "redirect_uri" to the following logs the user's cookies to the console:

javascript:foo="#";console.log(document.cookie);

"?release_mbid=..." (without the quotes) gets inserted just before the '#' in this code.

I actually find this behavior useful since I'm trying to make my seeder redirect to /add-cover-art after adding a release. This isn't easy to do otherwise, since redirect_uri adds a "release_mbid" query parameter, but the add-cover-art endpoint needs the release's MBID to be included in the path.

To handle this, I found that I can pass a redirect_uri value like the following (split over multiple lines here for readability):

javascript:mbid="#".slice(14,-1);
window.location="https://musicbrainz.org/release/"mbid"/add-cover-art"

So this is useful for me (since otherwise I'd probably need to create a tiny HTTP handler that accepts "?release_mbid" URLs and redirects to /add-cover-art), but I figured I should file a bug in case this behavior wasn't intentional. It may not be a big deal, since most seeding probably happens via userscripts that may already be able to do whatever they want.