Can you elaborate on which part of this you would consider a URL spoof, and how specifically the repro works? (e.g. is the user supposed to click the alert immediately? Is the alert considered part of the repro?)

The web platform, by design, allows a page to open a window to about:blank and to write whatever markup it wishes into that window, without changing the displayed URL. Given that by-design capability, a complicated means of placing markup into a window bearing a URL of about:blank doesn't seem very interesting from a security POV.

Sorry, maybe reproduction is not clear. 
Alert isn't a part of the repro. It can be excluded from the code. 
URL of this page (e.g. evildomain.com) changes to 'about:blank' after this page was loaded. 
So page loaded from evildomain.com will be displayed with url 'about:blank'. 
HTML file without alert attached:

Deleted: index_big_location_hash.html 833 bytes

index_big_location_hash.html 833 bytes View Download

Thank you for providing more feedback. Adding requester "elawrence@chromium.org" to the cc list and removing "Needs-Feedback" label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Example(screenshot): The website was loaded from localhost, but displayed URL changed to 'about:blank'.

Behavior of other browsers:
- Mozilla Firefox throws error about malformed URL.

Deleted: Снимок экрана 2017-05-05 в 19.29.09.png 52.0 KB

	Снимок экрана 2017-05-05 в 19.29.09.png 52.0 KB View Download

This looks like bug 571784.