Move URL fixup to a preliminary phase that doesn't affect virtual URLs.

chrome/browser/browser_about_handler.cc

Index: chrome/browser/browser_about_handler.cc
diff --git a/chrome/browser/browser_about_handler.cc b/chrome/browser/browser_about_handler.cc
index 7d1958577adfd67905f0e0217cb3c44b65a7c799..42a453a8018f8a5f030cbb5a463f1ea1c965b9ca 100644
--- a/chrome/browser/browser_about_handler.cc
+++ b/chrome/browser/browser_about_handler.cc
@@ -16,11 +16,21 @@
 #include "chrome/common/url_constants.h"
 #include "components/url_fixer/url_fixer.h"
 
+bool FixupBrowserAboutURL(GURL* url,
+                          content::BrowserContext* browser_context) {
+  // Ensure that any cleanup done by FixupURL happens before the rewriting
+  // phase that determines the virtual URL, by including it in an initial
+  // URLHandler.  This prevents minor changes from producing a virtual URL,
+  // which could lead to a URL spoof.
+  *url = url_fixer::FixupURL(url->possibly_invalid_spec(), std::string());
+  return true;
+}
+
 bool WillHandleBrowserAboutURL(GURL* url,
                                content::BrowserContext* browser_context) {
   // TODO(msw): Eliminate "about:*" constants and literals from code and tests,
   //            then hopefully we can remove this forced fixup.
-  *url = url_fixer::FixupURL(url->possibly_invalid_spec(), std::string());
+  FixupBrowserAboutURL(url, browser_context);
 
   // Check that about: URLs are fixed up to chrome: by url_fixer::FixupURL.
   DCHECK((*url == GURL(url::kAboutBlankURL)) ||