I'm not sure I understand the problem.

http://on.fb.me/1mXNHhm redirecting to a facebook webpage seems correct to me.

Could you elaborate more about self xss? Thanks.

Allow me to improve my report. 
Cross-origin attacks work by using CSS style sheets from vulnerable pages and extracting sensitive information from these pages in the form of css property attributes.

Reproduction Cases:
1.http://www.smartapproach.n.nu/ it shows an error refused to display there was a link on indicated it is the url below.

2.https://www.facebook.com/l.php?u=http%3A%2F%2Fon.fb.me%2F1mXNHhm&h=6AQFDyZra&s=1

This means that I followed a link in facebook that redirects me to another site 

3.http://on.fb.me/1mXNHhm

This is another vulnerability I noticed that there was an error on my console. I discovered that google accounts are vulnerable to self xss. 
Self Xss is a social engineering attack used to gain control of victim's web accounts in a self xss attack, the victim of the attack accidentally runs malicious code on his/her web browser, thus exposing it to attacker.

https://myaccount.google.com/?pli=1

This is working as intended.

The Website is warning the user that they may be tricked into doing something dangerous if they're using the Console, as the developer tools console allows the user to execute dangerous script that exposes the content of the page to another site.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot