VULNERABILITY DETAILS
Chrome 69 defies its own security policy by misrepresenting the URL.

VERSION
Chrome Version: 69.0.3497.81 (Official Build) (64-bit)
Operating System: Windows 7 Ultimate 6.1.7601 SP1 build 7601

REPRODUCTION CASE
1.) Navigate to https://www.tumblr.com/. Observe the official, authoritative web site published by the company behind the domain name tumblr.com.
2.) With default settings and flags in Chrome 69, note that the subdomain is obscured.
3.) Navigate to https://m.tumblr.com/. Observe the unofficial, user-created arbitrary content published by a customer of the company behind the domain name tumblr.com.
4.) With the same default settings, flags, and Chrome version, note that the subdomain is obscured, and that the URL displayed is identical to the one displayed in Step 2.

The identity of a page is not just contained its topmost levels of the hostname. This is a severe vulnerability issue that violates the trust a user expects to place in their user agent and the pages it navigates to.

As another example, assume someone is able to place arbitrary content on https://www.www.google.com. Observe that such a site is now identical to the well-known https://www.google.com as far as the chrome section of the application is concerned.

The chrome area is sacred, intended to be implicitly trusted and not easily tampered with, and the browser should not erode the confidence users have been taught to place in it.