It's not a self xss When the victim accesses the page with the reflected Host header, the malicious script can execute then leads to an XSS attack and account take over