Correctly handle CORS access checks over cache-validating responses.

Source/core/fetch/ResourceLoader.cpp

Index: Source/core/fetch/ResourceLoader.cpp
diff --git a/Source/core/fetch/ResourceLoader.cpp b/Source/core/fetch/ResourceLoader.cpp
index 1ad15e7919e908f23367c022ecdaba8afc063e31..0d2d6c42ed04fc51e7f457bb0548394533e55709 100644
--- a/Source/core/fetch/ResourceLoader.cpp
+++ b/Source/core/fetch/ResourceLoader.cpp
@@ -313,8 +313,15 @@ void ResourceLoader::didReceiveResponse(blink::WebURLLoader*, const blink::WebUR
     const ResourceResponse& resourceResponse = response.toResourceResponse();
 
     if (responseNeedsAccessControlCheck()) {
-        m_resource->setResponse(resourceResponse);
-        if (!m_host->canAccessResource(m_resource, response.url())) {
+        // If the response successfully validated a cached resource, perform
+        // the access control with respect to it. Need to do this right here
+        // before the resource switches clients over to that validated resource.
+        Resource* resource = m_resource;
+        if (resource->isCacheValidator() && resourceResponse.httpStatusCode() == 304)
+            resource = m_resource->resourceToRevalidate();
+        else
+            m_resource->setResponse(resourceResponse);
+        if (!m_host->canAccessResource(resource, response.url())) {
             cancel();
             return;
         }