1 files changed, 6 insertions, 1 deletions

diff --git a/chromium/content/common/cross_site_document_classifier.cc b/chromium/content/common/cross_site_document_classifier.cc
index 78417aa2b83..3518d84f2c3 100644
--- a/chromium/content/common/cross_site_document_classifier.cc
+++ b/chromium/content/common/cross_site_document_classifier.cc
@@ -5,6 +5,7 @@
 #include "content/common/cross_site_document_classifier.h"
 
 #include <stddef.h>
+#include <string>
 
 #include "base/command_line.h"
 #include "base/lazy_instance.h"
@@ -111,12 +112,16 @@ bool CrossSiteDocumentClassifier::IsValidCorsHeaderSet(
   // non-standard practice, and not supported by Chrome. Refer to
   // CrossOriginAccessControl::passesAccessControlCheck().
 
+  // Note that "null" offers no more protection than "*" because it matches any
+  // unique origin, such as data URLs. Any origin can thus access it, so don't
+  // bother trying to block this case.
+
   // TODO(dsjang): * is not allowed for the response from a request
   // with cookies. This allows for more than what the renderer will
   // eventually be able to receive, so we won't see illegal cross-site
   // documents allowed by this. We have to find a way to see if this
   // response is from a cookie-tagged request or not in the future.
-  if (access_control_origin == "*")
+  if (access_control_origin == "*" || access_control_origin == "null")
     return true;
 
   // TODO(dsjang): The CORS spec only treats a fully specified URL, except for