Hi , I would like to report a security issue within bookmarks. 
The problem exists because `javascript:` URIs are allowed in bookmarks.

## Reproduce: 
1.Create a new bookmark in the bookmarks bar folder and add `javascript:alert(1);` as the url 
2. Go too google.com , the click the bookmark you have created.

Also, Clicking the bookmark which has `javascript:` url bypasses CSP , for example if a site has a CSP rule such as `script-src 'self' ` , JavaScript shouldn't be allowed to be executed through `javascript:` URIs , however through this bug it will be executed.

The impact is not only bypassing CSP , it can be a more dangerous issue which requires some user interaction (The user will have to enter the XSS payload himself). 

## Scenario: 
Attacker has a website named "theEvilSite.com" , Attacker tells users' to add his site to their bookmark by clicking some link that will copy "javascript:[XSS_Payload]//some_long_path_so_victims_don't_notice" to the victim's payload then copying it to the URL field in the new bookmark form, the victim believes that nothing harmful can be done through bookmarks so he actually does as what the attacker says and copies the link and adds the bookmark. Victim goes to `gmail.com` , then he decides to see "theEvilSite.com" , so he clicks the bookmarks link. The malicious JavaScript payload gets executed. 


VERSION
Chrome Version: Version 51.0.2704.106 m (64-bit) + stable
Operating System: Windows 10 64-bit