Grant permission to the base url when loadDataWithBaseURL is called.

content/browser/frame_host/render_frame_host_impl.cc

Index: content/browser/frame_host/render_frame_host_impl.cc
diff --git a/content/browser/frame_host/render_frame_host_impl.cc b/content/browser/frame_host/render_frame_host_impl.cc
index fadeeca42041cb03120150ffe39978fa7c35804d..03c7f7ef68d84e6941c575f4acd2a65346bcd47b 100644
--- a/content/browser/frame_host/render_frame_host_impl.cc
+++ b/content/browser/frame_host/render_frame_host_impl.cc
@@ -2809,9 +2809,9 @@ void RenderFrameHostImpl::UpdatePermissionsForNavigation(
     ChildProcessSecurityPolicyImpl::GetInstance()->GrantRequestURL(
         GetProcess()->GetID(), common_params.url);
     if (common_params.url.SchemeIs(url::kDataScheme) &&
-        common_params.base_url_for_data_url.SchemeIs(url::kFileScheme)) {
-      // If 'data:' is used, and we have a 'file:' base url, grant access to
-      // local files.
+        !common_params.base_url_for_data_url.is_empty()) {
+      // Need to grant permission to the base url because bse url will be used
+      // as the origin for font requests.

[Charlie Reis, 2016/07/22 18:31:49]

Let's update the comment, because CORS is not just about font requests (and
because the previous file: comment still applies).  Something like:

When there's a base URL specified for the data URL, we also need to grant access
to the base URL.  This allows file: and other unexpected schemes to be accepted
at commit time and during CORS checks (e.g., for font requests).

[hush (inactive), 2016/07/26 02:42:54]

Done.

       ChildProcessSecurityPolicyImpl::GetInstance()->GrantRequestURL(
           GetProcess()->GetID(), common_params.base_url_for_data_url);
     }