Do not rewrite about urls to chrome:// for cetain renderer-initated loads

ios/web/navigation/crw_session_controller.mm

Index: ios/web/navigation/crw_session_controller.mm
diff --git a/ios/web/navigation/crw_session_controller.mm b/ios/web/navigation/crw_session_controller.mm
index 21f7ffe36f3fecc90c6993252bcfc7de068e7fe8..5b3e0c540ee7151db9cb2c38a73a0a1fc1b9c13f 100644
--- a/ios/web/navigation/crw_session_controller.mm
+++ b/ios/web/navigation/crw_session_controller.mm
@@ -659,6 +659,20 @@ initiationType:(web::NavigationInitiationType)initiationType {
         &loaded_url, _browserState);
   }
 
+  if (initiationType == web::NavigationInitiationType::RENDERER_INITIATED &&
+      loaded_url != url && web::GetWebClient()->IsAppSpecificURL(loaded_url)) {
+    bool lastCommittedURLIsAppSpecific =
+        self.lastCommittedItem &&
+        web::GetWebClient()->IsAppSpecificURL(self.lastCommittedItem->GetURL());
+    if (!lastCommittedURLIsAppSpecific) {
+      // The URL should not be changed to app-specific URL if the load was
+      // renderer-initiated requested by non app-specific URL. Pages with
+      // app-specific urls have elevated previledges and should not be allowed
+      // to open app-specific URLs.
+      loaded_url = url;
+    }
+  }
+
   std::unique_ptr<web::NavigationItemImpl> item(new web::NavigationItemImpl());
   item->SetOriginalRequestURL(loaded_url);
   item->SetURL(loaded_url);