Old link

The link Sood referred to is for a vulnerability that was fixed before chrome reached version 1 (it's specifically referring to version 0.2.149.xx, some of the earlier beta builds). It's now at version 6 in the dev branch, and should be released as version 6 within the next few weeks.

The fact that Google felt this was worthwhile to patch nearly two years ago should tell them something. At the very least they should have checked to see if that flaw still existed before making themselves look silly in an attempt to downplay the fact that their browser was found to be vulnerable to it.

Obfuscating URLs which aren't displayed?

AFAIK obfuscated URLs are only used to reassure the user that they are visiting one site when in fact they're visiting another by showing something which looks legit in the address bar but isn't (using some of the more exotic syntax features that URLs offer).

What would be the benefit of obfuscating a URL in an iframe? Iframes don't have address bars and the browser's phishing filter would display a warning anyway. If a browser does put obfuscation protection on iframes then it can be gotten round by not obfuscating it.

Or is there something I'm missing?