Note: I don't repro this on stable, only on Dev and Canary (didn't check on beta yet).

Minimized testcase:

w = window.open('https://www.google.com/csi');
w.document.write('This is fake!');

This is at least severity medium, and possibly high depending on whether we consider the spoof compelling (e.g. no lock, etc).

Deleted: FakedAddress.png 6.4 KB

	FakedAddress.png 6.4 KB View Download

Trying the minimized case locally (as in comment #3) seems to show "about:blank" in the omnibox, as expected. 

This may be fallout from PlzNavigate or OOPIF experiments?

Initial attempt to bisect yields no obvious culprits:

You are probably looking for a change made after 465478 (known good), but no later than 465485 (first known bad).
CHANGELOG URL:
  https://chromium.googlesource.com/chromium/src/+log/b1acf5794d7c39d91a104571216213ab5841b93b..b8d842d9a8a6d837901ce9ef4629c6ebdaef5694

Hmm. The internal bisect script points to a V8 roll which seems... surprising.

You are probably looking for a change made after 465483 (known good), but no later than 465484 (first known bad).
  https://chromium.googlesource.com/chromium/src/+log/0f47d06919be1dfd8a307f2dca899612dcb68f9a..8267f48654eb20e9d6453b53f2da310953d244f1

https://chromium.googlesource.com/v8/v8/+/cd76322817760cd1c1d7538f51f1907df7b6cde3 which was only one of two checkins in that v8 roll looks a bit suspicious.

I don't repro this locally, still looks bad. Also, I can spoof with e.g:

w = window.open('http://xn----zmcjivgk7jmdb3e.xn--mgberp4a5d4ar/');
w.document.write('This is fake!');

And also:

w = window.open('https://gmail.com:91');
w.document.write('This is fake!');

This looks like  bug 718946 

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot