UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.167 Safari/537.36

Steps to reproduce the problem:
1. Visit a website that allows submitting external (inline) images via Markdown, for example
2. Submit a link to a website blocked by Safe Browsing
3. The whole view is blocked with the "Deceptive Site Ahead" warning

What is the expected behavior?

What went wrong?
It's possible to block access to websites by submitting several known malicious websites.

There's also a variant of these attacks in which you specify a link protected with HTTP Basic Authentication in order to force a popup overlay prompting for credentials. This is described here -> https://bugs.chromium.org/p/chromium/issues/detail?id=400380

Older versions of Chrome would display authentication popup for different origins, but newer versions like 64 don't display them anymore, returning the message "Failed to load resource: the server responded with a status of 401 (Unauthorized)".

Did this work before? N/A 

Chrome version: 64.0.3282.167  Channel: stable
OS Version: OS X 10.12.6
Flash Version: -

I have seen and reported this issue during several website tests. Most companies don't consider this an issue as the solution would require them to proxy the images, for example.  This "problem" affects lots of forums, issue trackers, chat applications etc. Additionally, Safari's Fraud protection does not follow this behavior and does not block access to parent websites with malicious inline images.

Here's a POC of how this can be used to abuse the Mattermost (an open-source Slack):
https://youtu.be/wy0QVvHbnw0

And here's the user trying to login to the application with the malicious link:
https://youtu.be/fdc0bp6hulk